Windows Analysis Report 8aAG42oIjb.exe

Overview

General Information

Sample Name: 8aAG42oIjb.exe
Analysis ID: 491912
MD5: 613617e5b41e1031a2d72e07afca8c29
SHA1: a1aaa2b0313898160c5c26b162a17179d4b164bc
SHA256: 889e9ef0fbe47480ebf02cfaa6d9f0516e134f6bcf63783ee5ea135471e147c2
Tags: exeRaccoonStealer
Infos:

Most interesting Screenshot:

Detection

Raccoon
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected Raccoon Stealer
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Self deletion via cmd delete
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to steal Mail credentials (via file access)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Is looking for software installed on the system
PE file does not import any functions
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Binary contains a suspicious time stamp
PE file contains more sections than normal
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.8aAG42oIjb.exe.2150e50.1.raw.unpack Malware Configuration Extractor: Raccoon Stealer {"RC4_key2": "25ef3d2ceb7c85368a843a6d0ff8291d", "C2 url": "https://t.me/agrybirdsgamerept", "Bot ID": "5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4", "RC4_key1": "$Z2s`ten\\@bE9vzR"}
Multi AV Scanner detection for submitted file
Source: 8aAG42oIjb.exe Virustotal: Detection: 32% Perma Link
Source: 8aAG42oIjb.exe ReversingLabs: Detection: 57%
Yara detected Raccoon Stealer
Source: Yara match File source: 0.2.8aAG42oIjb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.8aAG42oIjb.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.8aAG42oIjb.exe.2150e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.8aAG42oIjb.exe.2150e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.8aAG42oIjb.exe.2220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.8aAG42oIjb.exe.2220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.673727656.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.659119952.0000000002220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.674067230.0000000002150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 8aAG42oIjb.exe PID: 3124, type: MEMORYSTR
Machine Learning detection for sample
Source: 8aAG42oIjb.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0042A130 lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree, 0_2_0042A130
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0040E139 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData, 0_2_0040E139
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0040CF54 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData, 0_2_0040CF54
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0040F2E6 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree, 0_2_0040F2E6
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0040D684 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree, 0_2_0040D684
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_00429F5D CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree, 0_2_00429F5D
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_00434A5F lstrlenW,lstrlenW,lstrlenW,CryptUnprotectData,LocalFree,lstrlenW,lstrlenW,lstrlenW,wsprintfA,lstrlenA, 0_2_00434A5F
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_00420F09 __EH_prolog,_strlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,PK11_FreeSlot, 0_2_00420F09

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Unpacked PE file: 0.2.8aAG42oIjb.exe.400000.0.unpack
Uses 32bit PE files
Source: 8aAG42oIjb.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.0.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: 8aAG42oIjb.exe, 00000000.00000002.674487590.000000006E630000.00000002.00020000.sdmp, nss3.dll.0.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.0.dr
Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.0.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.0.dr
Source: Binary string: C:\cesuyerew\xebopepuy\vutugiwafotamu\purehuro_bef.pdb source: 8aAG42oIjb.exe
Source: Binary string: BC:\cesuyerew\xebopepuy\vutugiwafotamu\purehuro_bef.pdb source: 8aAG42oIjb.exe
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.0.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.0.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: 8aAG42oIjb.exe, 00000000.00000002.674339250.000000006E509000.00000002.00020000.sdmp, mozglue.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.0.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.0.dr
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy.dll.0.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.0.dr
Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.0.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.0.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.0.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: 8aAG42oIjb.exe, 00000000.00000002.674339250.000000006E509000.00000002.00020000.sdmp, mozglue.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.0.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.0.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.0.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.0.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.0.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.0.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.0.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.0.dr
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0043EFDD FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 0_2_0043EFDD
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.4:49751 -> 185.138.164.150:80
Source: Traffic Snort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.4:49751 -> 185.138.164.150:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://t.me/agrybirdsgamerept
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DEPTELECOMNSO-ASRU DEPTELECOMNSO-ASRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /agrybirdsgamerept HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: t.me
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 185.138.164.150
Source: global traffic HTTP traffic detected: GET //l/f/p5H3KXwB3dP17SpzXqG4/0082491d8ce92dde3db733700e3efad352687de3 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.138.164.150
Source: global traffic HTTP traffic detected: GET //l/f/p5H3KXwB3dP17SpzXqG4/9a5837ddcde370a12fac7d7ad748894e8ca04822 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.138.164.150
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cVContent-Length: 1418Host: 185.138.164.150
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.99 149.154.167.99
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 28 Sep 2021 05:14:05 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 28 Sep 2021 05:14:08 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: 8aAG42oIjb.exe, 00000000.00000003.672343864.0000000002CC4000.00000004.00000001.sdmp String found in binary or memory: http://185.138.164.150/
Source: 8aAG42oIjb.exe, 00000000.00000003.672343864.0000000002CC4000.00000004.00000001.sdmp String found in binary or memory: http://185.138.164.150/)
Source: 8aAG42oIjb.exe, 00000000.00000002.673950420.0000000000755000.00000004.00000001.sdmp String found in binary or memory: http://185.138.164.150//l/f/p5H3KXwB3dP17SpzXqG4/0082491d8ce92dde3db733700e3efad352687de3
Source: 8aAG42oIjb.exe, 00000000.00000002.673950420.0000000000755000.00000004.00000001.sdmp String found in binary or memory: http://185.138.164.150//l/f/p5H3KXwB3dP17SpzXqG4/9a5837ddcde370a12fac7d7ad748894e8ca04822
Source: 8aAG42oIjb.exe, 00000000.00000002.673950420.0000000000755000.00000004.00000001.sdmp String found in binary or memory: http://185.138.164.150//l/f/p5H3KXwB3dP17SpzXqG4/9a5837ddcde370a12fac7d7ad748894e8ca048222nR5E
Source: 8aAG42oIjb.exe, 00000000.00000003.672343864.0000000002CC4000.00000004.00000001.sdmp String found in binary or memory: http://185.138.164.150/L
Source: 8aAG42oIjb.exe, 00000000.00000002.673950420.0000000000755000.00000004.00000001.sdmp String found in binary or memory: http://185.138.164.150/w;
Source: 8aAG42oIjb.exe, 00000000.00000003.672359353.0000000002CE2000.00000004.00000001.sdmp, qipcap.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 8aAG42oIjb.exe, 00000000.00000003.672359353.0000000002CE2000.00000004.00000001.sdmp, qipcap.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: nssckbi.dll.0.dr String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: nssckbi.dll.0.dr String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: 8aAG42oIjb.exe, 00000000.00000002.673950420.0000000000755000.00000004.00000001.sdmp, nssckbi.dll.0.dr String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: 8aAG42oIjb.exe, 00000000.00000003.672359353.0000000002CE2000.00000004.00000001.sdmp, qipcap.dll.0.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: 8aAG42oIjb.exe, 00000000.00000003.672359353.0000000002CE2000.00000004.00000001.sdmp, qipcap.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 8aAG42oIjb.exe, 00000000.00000003.672359353.0000000002CE2000.00000004.00000001.sdmp, qipcap.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 8aAG42oIjb.exe, 00000000.00000003.672359353.0000000002CE2000.00000004.00000001.sdmp, qipcap.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 8aAG42oIjb.exe, 00000000.00000003.672359353.0000000002CE2000.00000004.00000001.sdmp, qipcap.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: nssckbi.dll.0.dr String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://ocsp.accv.es0
Source: 8aAG42oIjb.exe, 00000000.00000003.672359353.0000000002CE2000.00000004.00000001.sdmp, qipcap.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: 8aAG42oIjb.exe, 00000000.00000003.672359353.0000000002CE2000.00000004.00000001.sdmp, qipcap.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: 8aAG42oIjb.exe, 00000000.00000003.672359353.0000000002CE2000.00000004.00000001.sdmp, qipcap.dll.0.dr String found in binary or memory: http://ocsp.thawte.com0
Source: nssckbi.dll.0.dr String found in binary or memory: http://policy.camerfirma.com0
Source: nssckbi.dll.0.dr String found in binary or memory: http://repository.swisssign.com/0
Source: 8aAG42oIjb.exe, 00000000.00000003.672359353.0000000002CE2000.00000004.00000001.sdmp, qipcap.dll.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 8aAG42oIjb.exe, 00000000.00000003.672359353.0000000002CE2000.00000004.00000001.sdmp, qipcap.dll.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 8aAG42oIjb.exe, 00000000.00000003.672359353.0000000002CE2000.00000004.00000001.sdmp, qipcap.dll.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.accv.es00
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.chambersign.org1
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: 8aAG42oIjb.exe, 00000000.00000003.672359353.0000000002CE2000.00000004.00000001.sdmp, qipcap.dll.0.dr String found in binary or memory: http://www.mozilla.com0
Source: 8aAG42oIjb.exe, 00000000.00000003.672343864.0000000002CC4000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.quovadis.bm0
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: sqlite3.dll.0.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: 8aAG42oIjb.exe, 00000000.00000003.672320146.0000000002CB2000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
Source: 8aAG42oIjb.exe, 00000000.00000002.673950420.0000000000755000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
Source: RYwTiizs2t.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RYwTiizs2t.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 8aAG42oIjb.exe, 00000000.00000003.672320146.0000000002CB2000.00000004.00000001.sdmp String found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
Source: 8aAG42oIjb.exe, 00000000.00000002.673950420.0000000000755000.00000004.00000001.sdmp String found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
Source: 8aAG42oIjb.exe, 00000000.00000003.672320146.0000000002CB2000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C
Source: 8aAG42oIjb.exe, 00000000.00000003.672320146.0000000002CB2000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: 8aAG42oIjb.exe, 00000000.00000003.672343864.0000000002CC4000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
Source: RYwTiizs2t.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RYwTiizs2t.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RYwTiizs2t.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 8aAG42oIjb.exe, 00000000.00000002.673950420.0000000000755000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
Source: 8aAG42oIjb.exe, 00000000.00000003.672343864.0000000002CC4000.00000004.00000001.sdmp String found in binary or memory: https://go.micro
Source: nssckbi.dll.0.dr String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: nssckbi.dll.0.dr String found in binary or memory: https://repository.luxtrust.lu0
Source: RYwTiizs2t.0.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: RYwTiizs2t.0.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 8aAG42oIjb.exe, 00000000.00000003.665168634.0000000002C48000.00000004.00000001.sdmp, 8aAG42oIjb.exe, 00000000.00000003.665151353.0000000002C43000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: 8aAG42oIjb.exe, 00000000.00000003.665151353.0000000002C43000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: 8aAG42oIjb.exe, 00000000.00000002.673950420.0000000000755000.00000004.00000001.sdmp String found in binary or memory: https://t.me/agryb
Source: 8aAG42oIjb.exe, 00000000.00000002.673950420.0000000000755000.00000004.00000001.sdmp String found in binary or memory: https://t.me/agrybirdsgamerept
Source: 8aAG42oIjb.exe, 00000000.00000002.673950420.0000000000755000.00000004.00000001.sdmp String found in binary or memory: https://telegram.org/img/t_logo.png
Source: nssckbi.dll.0.dr String found in binary or memory: https://www.catcert.net/verarrel
Source: nssckbi.dll.0.dr String found in binary or memory: https://www.catcert.net/verarrel05
Source: 8aAG42oIjb.exe, 00000000.00000003.672359353.0000000002CE2000.00000004.00000001.sdmp, qipcap.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: 8aAG42oIjb.exe, 00000000.00000003.672343864.0000000002CC4000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/?gws_rd=ssl
Source: 8aAG42oIjb.exe, 00000000.00000003.672455258.0000000002C3F000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/favicon.ico
Source: RYwTiizs2t.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 8aAG42oIjb.exe, 00000000.00000003.672455258.0000000002C3F000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
Source: unknown HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 185.138.164.150
Source: unknown DNS traffic detected: queries for: t.me
Source: global traffic HTTP traffic detected: GET /agrybirdsgamerept HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: t.me
Source: global traffic HTTP traffic detected: GET //l/f/p5H3KXwB3dP17SpzXqG4/0082491d8ce92dde3db733700e3efad352687de3 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.138.164.150
Source: global traffic HTTP traffic detected: GET //l/f/p5H3KXwB3dP17SpzXqG4/9a5837ddcde370a12fac7d7ad748894e8ca04822 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.138.164.150
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49750 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0042C157 __EH_prolog,GdiplusStartup,GetDesktopWindow,GetWindowRect,GetWindowDC,GetDeviceCaps,CreateCompatibleDC,CreateDIBSection,DeleteDC,DeleteDC,DeleteDC,SaveDC,SelectObject,BitBlt,RestoreDC,DeleteDC,DeleteDC,DeleteDC,GdipAlloc,GdipCreateBitmapFromHBITMAP,_mbstowcs,GdipSaveImageToFile,DeleteObject,GdiplusShutdown, 0_2_0042C157

E-Banking Fraud:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 0.2.8aAG42oIjb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.8aAG42oIjb.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.8aAG42oIjb.exe.2150e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.8aAG42oIjb.exe.2150e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.8aAG42oIjb.exe.2220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.8aAG42oIjb.exe.2220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.673727656.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.659119952.0000000002220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.674067230.0000000002150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 8aAG42oIjb.exe PID: 3124, type: MEMORYSTR

System Summary:

barindex
Uses 32bit PE files
Source: 8aAG42oIjb.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0040E139 0_2_0040E139
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0043E2E4 0_2_0043E2E4
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0042A2F9 0_2_0042A2F9
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0043628C 0_2_0043628C
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0042C383 0_2_0042C383
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_00410648 0_2_00410648
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_004206DD 0_2_004206DD
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0040CF54 0_2_0040CF54
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_004210B1 0_2_004210B1
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0040F2E6 0_2_0040F2E6
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_004373C6 0_2_004373C6
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0040D684 0_2_0040D684
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_00437819 0_2_00437819
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0041FD36 0_2_0041FD36
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0040BF59 0_2_0040BF59
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0041E014 0_2_0041E014
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0042E110 0_2_0042E110
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0044A480 0_2_0044A480
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0045A4BD 0_2_0045A4BD
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_004484BA 0_2_004484BA
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0045A5DD 0_2_0045A5DD
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0046475B 0_2_0046475B
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_004187EC 0_2_004187EC
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0041E857 0_2_0041E857
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0041EBE9 0_2_0041EBE9
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_00422D2B 0_2_00422D2B
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0042AE7B 0_2_0042AE7B
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_00418F0B 0_2_00418F0B
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_00434FE3 0_2_00434FE3
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_00442F90 0_2_00442F90
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: String function: 0044F0F9 appears 44 times
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: String function: 00467790 appears 110 times
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: String function: 00440940 appears 47 times
PE file does not import any functions
Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: 8aAG42oIjb.exe, 00000000.00000002.674350522.000000006E512000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamemozglue.dll8 vs 8aAG42oIjb.exe
Source: 8aAG42oIjb.exe, 00000000.00000003.672359353.0000000002CE2000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamenssdbm3.dll8 vs 8aAG42oIjb.exe
Source: 8aAG42oIjb.exe, 00000000.00000003.672359353.0000000002CE2000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs 8aAG42oIjb.exe
Source: 8aAG42oIjb.exe, 00000000.00000002.674532468.000000006E66B000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamenss3.dll8 vs 8aAG42oIjb.exe
PE file contains strange resources
Source: 8aAG42oIjb.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8aAG42oIjb.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8aAG42oIjb.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8aAG42oIjb.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8aAG42oIjb.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8aAG42oIjb.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8aAG42oIjb.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8aAG42oIjb.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file contains more sections than normal
Source: sqlite3.dll.0.dr Static PE information: Number of sections : 18 > 10
Source: 8aAG42oIjb.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 8aAG42oIjb.exe Virustotal: Detection: 32%
Source: 8aAG42oIjb.exe ReversingLabs: Detection: 57%
Source: 8aAG42oIjb.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\8aAG42oIjb.exe 'C:\Users\user\Desktop\8aAG42oIjb.exe'
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\8aAG42oIjb.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\8aAG42oIjb.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK Jump to behavior
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/67@1/2
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0042A224 CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree, 0_2_0042A224
Source: softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: 8aAG42oIjb.exe, 00000000.00000002.674487590.000000006E630000.00000002.00020000.sdmp, sqlite3.dll.0.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: softokn3.dll.0.dr Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: 8aAG42oIjb.exe, 00000000.00000002.674487590.000000006E630000.00000002.00020000.sdmp, sqlite3.dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 8aAG42oIjb.exe, 00000000.00000002.674487590.000000006E630000.00000002.00020000.sdmp, nss3.dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);<
Source: 8aAG42oIjb.exe, 00000000.00000002.674487590.000000006E630000.00000002.00020000.sdmp, sqlite3.dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 8aAG42oIjb.exe, 00000000.00000002.674487590.000000006E630000.00000002.00020000.sdmp, sqlite3.dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s;
Source: softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: sqlite3.dll.0.dr Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: 8aAG42oIjb.exe, 00000000.00000002.674487590.000000006E630000.00000002.00020000.sdmp, nss3.dll.0.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 8aAG42oIjb.exe, 00000000.00000002.674487590.000000006E630000.00000002.00020000.sdmp, nss3.dll.0.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 8aAG42oIjb.exe, 00000000.00000002.674487590.000000006E630000.00000002.00020000.sdmp, sqlite3.dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 8aAG42oIjb.exe, 00000000.00000002.674487590.000000006E630000.00000002.00020000.sdmp, nss3.dll.0.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
Source: 8aAG42oIjb.exe, 00000000.00000002.674487590.000000006E630000.00000002.00020000.sdmp, nss3.dll.0.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: 8aAG42oIjb.exe, 00000000.00000002.674487590.000000006E630000.00000002.00020000.sdmp, nss3.dll.0.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
Source: sqlite3.dll.0.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_00438EA2 __EH_prolog,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,OpenProcessToken,DuplicateTokenEx,CloseHandle,GetModuleFileNameA,_strlen,_mbstowcs,CreateProcessWithTokenW,CloseHandle,Process32NextW, 0_2_00438EA2
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Mutant created: \Sessions\1\BaseNamedObjects\user5L1M3_noturbusiness
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6624:120:WilError_01
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager Jump to behavior
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: 8aAG42oIjb.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.0.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: 8aAG42oIjb.exe, 00000000.00000002.674487590.000000006E630000.00000002.00020000.sdmp, nss3.dll.0.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.0.dr
Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.0.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.0.dr
Source: Binary string: C:\cesuyerew\xebopepuy\vutugiwafotamu\purehuro_bef.pdb source: 8aAG42oIjb.exe
Source: Binary string: BC:\cesuyerew\xebopepuy\vutugiwafotamu\purehuro_bef.pdb source: 8aAG42oIjb.exe
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.0.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.0.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: 8aAG42oIjb.exe, 00000000.00000002.674339250.000000006E509000.00000002.00020000.sdmp, mozglue.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.0.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.0.dr
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy.dll.0.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.0.dr
Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.0.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.0.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.0.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: 8aAG42oIjb.exe, 00000000.00000002.674339250.000000006E509000.00000002.00020000.sdmp, mozglue.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.0.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.0.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.0.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.0.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.0.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.0.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.0.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.0.dr

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Unpacked PE file: 0.2.8aAG42oIjb.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Unpacked PE file: 0.2.8aAG42oIjb.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_004000BB push edx; retf 0_2_004000C2
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_004407F0 push ecx; ret 0_2_00440803
PE file contains sections with non-standard names
Source: sqlite3.dll.0.dr Static PE information: section name: /4
Source: sqlite3.dll.0.dr Static PE information: section name: /19
Source: sqlite3.dll.0.dr Static PE information: section name: /31
Source: sqlite3.dll.0.dr Static PE information: section name: /45
Source: sqlite3.dll.0.dr Static PE information: section name: /57
Source: sqlite3.dll.0.dr Static PE information: section name: /70
Source: sqlite3.dll.0.dr Static PE information: section name: /81
Source: sqlite3.dll.0.dr Static PE information: section name: /92
Source: AccessibleHandler.dll.0.dr Static PE information: section name: .orpc
Source: AccessibleMarshal.dll.0.dr Static PE information: section name: .orpc
Source: IA2Marshal.dll.0.dr Static PE information: section name: .orpc
Source: lgpllibs.dll.0.dr Static PE information: section name: .rodata
Source: MapiProxy.dll.0.dr Static PE information: section name: .orpc
Source: MapiProxy_InUse.dll.0.dr Static PE information: section name: .orpc
Source: mozglue.dll.0.dr Static PE information: section name: .didat
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0042A2F9 GetVersionExW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary, 0_2_0042A2F9
Binary contains a suspicious time stamp
Source: ucrtbase.dll.0.dr Static PE information: 0x9E3394C7 [Sun Feb 8 16:22:31 2054 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.9738824165

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\breakpadinjector.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\libEGL.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\lgpllibs.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\IA2Marshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleMarshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\qipcap.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ucrtbase.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\prldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldif60.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleHandler.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssckbi.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Process created: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\8aAG42oIjb.exe'
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Process created: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\8aAG42oIjb.exe' Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_004206DD __EH_prolog,SetCurrentDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_004206DD

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\8aAG42oIjb.exe TID: 4780 Thread sleep time: -150000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 6264 Thread sleep count: 75 > 30 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\breakpadinjector.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\libEGL.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\lgpllibs.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\IA2Marshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleMarshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\qipcap.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\prldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldif60.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleHandler.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssckbi.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Is looking for software installed on the system
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Registry key enumerated: More than 152 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_00437819 __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA, 0_2_00437819
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0043EFDD FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 0_2_0043EFDD
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: 8aAG42oIjb.exe, 00000000.00000002.673950420.0000000000755000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: 8aAG42oIjb.exe, 00000000.00000002.673950420.0000000000755000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW}

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0045C559 IsDebuggerPresent,OutputDebugStringW, 0_2_0045C559
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0042A2F9 GetVersionExW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary, 0_2_0042A2F9
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_00433882 __EH_prolog,DeleteFileA,CreateFileA,CreateFileA,WriteFile,CloseHandle,CreateFileA,GetFileSize,GetProcessHeap,HeapAlloc,lstrlenA,lstrlenA,lstrcpynA,lstrcpynA,lstrlenA,lstrcpynA,ReadFile,lstrlenA,lstrcpynA,WinHttpSetOption,WinHttpSetOption,WinHttpSetOption,WinHttpConnect,WinHttpConnect,WinHttpOpenRequest,WinHttpOpenRequest,WinHttpSendRequest,WinHttpReceiveResponse,WinHttpQueryDataAvailable,WinHttpReadData,WinHttpCloseHandle,WinHttpCloseHandle,CloseHandle,DeleteFileA,WinHttpCloseHandle,GetProcessHeap,HeapFree, 0_2_00433882
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0045A03D mov eax, dword ptr fs:[00000030h] 0_2_0045A03D
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0045A081 mov eax, dword ptr fs:[00000030h] 0_2_0045A081
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0045A0B2 mov eax, dword ptr fs:[00000030h] 0_2_0045A0B2
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_00446C01 mov eax, dword ptr fs:[00000030h] 0_2_00446C01
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_00446625 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00446625
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_00440B62 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00440B62
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_00440CC5 SetUnhandledExceptionFilter, 0_2_00440CC5
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_00440EDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00440EDC

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: __EH_prolog,CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,Sleep,GetUserNameA,Sleep,_strlen,_strlen,CreateThread,CreateThread,CreateThread,CreateThread,StrToIntA,CreateThread,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,lstrlenA,lstrlenA,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize, 0_2_0042C383
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA, 0_2_00437819
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_00462391
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: EnumSystemLocalesW, 0_2_00458577
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: GetLocaleInfoW, 0_2_0046258C
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: EnumSystemLocalesW, 0_2_0046267E
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: EnumSystemLocalesW, 0_2_00462633
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: EnumSystemLocalesW, 0_2_00462719
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_004627A4
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: GetLocaleInfoW, 0_2_004629F7
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00462B1D
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: GetLocaleInfoW, 0_2_00458BA4
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: GetLocaleInfoW, 0_2_00462C23
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00462CF2
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_00440985 cpuid 0_2_00440985
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0043E03E GetLocalTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 0_2_0043E03E
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_004371FA __EH_prolog,GetUserNameA,GetTimeZoneInformation,std::ios_base::_Ios_base_dtor, 0_2_004371FA
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0042A2F9 GetVersionExW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary, 0_2_0042A2F9
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Code function: 0_2_0042C383 __EH_prolog,CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,Sleep,GetUserNameA,Sleep,_strlen,_strlen,CreateThread,CreateThread,CreateThread,CreateThread,StrToIntA,CreateThread,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,lstrlenA,lstrlenA,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize, 0_2_0042C383

Stealing of Sensitive Information:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 0.2.8aAG42oIjb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.8aAG42oIjb.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.8aAG42oIjb.exe.2150e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.8aAG42oIjb.exe.2150e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.8aAG42oIjb.exe.2220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.8aAG42oIjb.exe.2220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.673727656.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.659119952.0000000002220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.674067230.0000000002150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 8aAG42oIjb.exe PID: 3124, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 8aAG42oIjb.exe, 00000000.00000002.673950420.0000000000755000.00000004.00000001.sdmp String found in binary or memory: Electrum-LTC;26;Electrum-LTC\wallets;*;|
Source: 8aAG42oIjb.exe, 00000000.00000002.673950420.0000000000755000.00000004.00000001.sdmp String found in binary or memory: ElectronCash;26;ElectronCash\wallets;*;|
Source: 8aAG42oIjb.exe, 00000000.00000002.673950420.0000000000755000.00000004.00000001.sdmp String found in binary or memory: Jaxx;26;Jaxx;*;*cache*
Source: 8aAG42oIjb.exe, 00000000.00000002.674214510.0000000002C30000.00000004.00000001.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: 8aAG42oIjb.exe, 00000000.00000002.673950420.0000000000755000.00000004.00000001.sdmp String found in binary or memory: ;26;exodus
Source: 8aAG42oIjb.exe, 00000000.00000002.673950420.0000000000755000.00000004.00000001.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings Jump to behavior
Source: C:\Users\user\Desktop\8aAG42oIjb.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\8aAG42oIjb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior

Remote Access Functionality:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 0.2.8aAG42oIjb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.8aAG42oIjb.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.8aAG42oIjb.exe.2150e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.8aAG42oIjb.exe.2150e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.8aAG42oIjb.exe.2220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.8aAG42oIjb.exe.2220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.673727656.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.659119952.0000000002220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.674067230.0000000002150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 8aAG42oIjb.exe PID: 3124, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491912 Sample: 8aAG42oIjb.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 30 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->30 32 Found malware configuration 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 4 other signatures 2->36 7 8aAG42oIjb.exe 80 2->7         started        process3 dnsIp4 26 185.138.164.150, 49751, 80 DEPTELECOMNSO-ASRU Germany 7->26 28 t.me 149.154.167.99, 443, 49750 TELEGRAMRU United Kingdom 7->28 18 C:\Users\user\AppData\...\vcruntime140.dll, PE32 7->18 dropped 20 C:\Users\user\AppData\...\ucrtbase.dll, PE32 7->20 dropped 22 C:\Users\user\AppData\...\softokn3.dll, PE32 7->22 dropped 24 56 other files (none is malicious) 7->24 dropped 38 Detected unpacking (changes PE section rights) 7->38 40 Detected unpacking (overwrites its own PE header) 7->40 42 Tries to steal Mail credentials (via file access) 7->42 44 2 other signatures 7->44 12 cmd.exe 1 7->12         started        file5 signatures6 process7 process8 14 conhost.exe 12->14         started        16 timeout.exe 1 12->16         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.138.164.150
 unknown Germany
50451 DEPTELECOMNSO-ASRU true
149.154.167.99
 t.me United Kingdom
62041 TELEGRAMRU false

Contacted Domains

Name IP Active
t.me 149.154.167.99 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.138.164.150//l/f/p5H3KXwB3dP17SpzXqG4/9a5837ddcde370a12fac7d7ad748894e8ca04822 true
  • Avira URL Cloud: safe
 unknown
http://185.138.164.150//l/f/p5H3KXwB3dP17SpzXqG4/0082491d8ce92dde3db733700e3efad352687de3 true
  • Avira URL Cloud: safe
 unknown
http://185.138.164.150/ true
  • Avira URL Cloud: safe
 unknown
https://t.me/agrybirdsgamerept false
    		high