Windows Analysis Report
OgcktrbHkI.exe

Overview

General Information

Sample name: OgcktrbHkI.exe
renamed because original name is a hash value
Original sample name: 35f519000ad078d242c0bce097c59b31.exe
Analysis ID: 1436353
MD5: 35f519000ad078d242c0bce097c59b31
SHA1: 41a3c859c36a4240a51e6ce17ab269e8d2728eb0
SHA256: 1dc79692db8709e88fee042c5555f8432dc4638442887d8150b8b7c67f5f3eb2
Tags: 32exetrojan
Infos:

Detection

Tofsee
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Tofsee According to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: OgcktrbHkI.exe Avira: detected
Antivirus detection for URL or domain
Source: jotunheim.name:443 URL Reputation: Label: malware
Source: vanaheim.cn:443 URL Reputation: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\pspizbvl.exe Avira: detection malicious, Label: TR/Crypt.EPACK.Gen2
Found malware configuration
Source: 0.2.OgcktrbHkI.exe.1ba0e67.1.raw.unpack Malware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
Multi AV Scanner detection for domain / URL
Source: vanaheim.cn Virustotal: Detection: 15% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\pspizbvl.exe Virustotal: Detection: 44% Perma Link
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe (copy) Virustotal: Detection: 44% Perma Link
Multi AV Scanner detection for submitted file
Source: OgcktrbHkI.exe Virustotal: Detection: 43% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\pspizbvl.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: OgcktrbHkI.exe Joe Sandbox ML: detected
Source: https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en HTTP Parser: No favicon
Source: https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en HTTP Parser: No favicon
Source: https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en HTTP Parser: No favicon

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Unpacked PE file: 0.2.OgcktrbHkI.exe.400000.0.unpack
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Unpacked PE file: 11.2.pspizbvl.exe.400000.0.unpack
Uses 32bit PE files
Source: OgcktrbHkI.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\OgcktrbHkI.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49770 version: TLS 1.2

Change of critical system settings
barindex
Adds extensions / path to Windows Defender exclusion list (Registry)
Source: C:\Windows\SysWOW64\svchost.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\kofydeki Jump to behavior

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 109.107.161.150 443 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 217.69.139.150 25 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 74.125.137.26 25 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 104.47.53.36 25 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 67.195.228.110 25 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: vanaheim.cn:443
Source: Malware configuration extractor URLs: jotunheim.name:443
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 217.69.139.150 217.69.139.150
Source: Joe Sandbox View IP Address: 104.47.53.36 104.47.53.36
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View IP Address: 67.195.228.110 67.195.228.110
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEPORT-TV-ASRU TELEPORT-TV-ASRU
Source: Joe Sandbox View ASN Name: YAHOO-GQ1US YAHOO-GQ1US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49743 -> 104.47.53.36:25
Source: global traffic TCP traffic: 192.168.2.4:49757 -> 67.195.228.110:25
Source: global traffic TCP traffic: 192.168.2.4:49759 -> 74.125.137.26:25
Source: global traffic TCP traffic: 192.168.2.4:49773 -> 217.69.139.150:25
Source: unknown TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.76
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.76
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.76
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.76
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree, 0_2_00402A62
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=+83avNG6Z9wwMVh&MD=ybDA+rmd HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en HTTP/1.1Host: ogs.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=+83avNG6Z9wwMVh&MD=ybDA+rmd HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=513=ON-263QZXt9Weooq4tM-X7f_gPZYX_UROX833_yqu-2GKj7wBRvMMF_Z8Hh_g785FV-f1eGZZ3bmuxVot588IRQ_TPzkUmoPYhH9VZfNdSFfe5oLbWL0o3mTVMkjR2y5hkTF1a_qbB89fDZKW_cIDuWlJVWJsC3zjL1NGiEc0tU
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
Source: global traffic DNS traffic detected: DNS query: apis.google.com
Source: global traffic DNS traffic detected: DNS query: vanaheim.cn
Source: global traffic DNS traffic detected: DNS query: yahoo.com
Source: global traffic DNS traffic detected: DNS query: mta6.am0.yahoodns.net
Source: global traffic DNS traffic detected: DNS query: ogs.google.com
Source: global traffic DNS traffic detected: DNS query: google.com
Source: global traffic DNS traffic detected: DNS query: smtp.google.com
Source: global traffic DNS traffic detected: DNS query: mail.ru
Source: global traffic DNS traffic detected: DNS query: mxs.mail.ru
Source: global traffic DNS traffic detected: DNS query: play.google.com
Source: unknown HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 787sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Content-Type: text/plain;charset=UTF-8X-Goog-AuthUser: 0sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Origin: https://ogs.google.comX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ogs.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=513=mPPPqpDMrDFUKWs8QWCE0CfLRBKkKmj_o5FDyqsicCmeUBwk9I5OXwE3RMm_CMffzYSx9ZIPSTxmM-VQzSv_mLJjyXRSUzvk9haotAWoVcJ8iqK3NFmfA42wDu-YwqQ9vhflBU2dO2t8pCNEAbMtpv2HO6denIteuHo8gbtxJng
Source: svchost.exe, 00000013.00000002.2876220211.000001AB38284000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000013.00000002.2876369214.000001AB382F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/
Source: svchost.exe, 00000013.00000003.1671389346.000001AB38418000.00000004.00000800.00020000.00000000.sdmp, edb.log.19.dr, qmgr.db.19.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.19.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: qmgr.db.19.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.19.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000013.00000003.1671389346.000001AB38418000.00000004.00000800.00020000.00000000.sdmp, edb.log.19.dr, qmgr.db.19.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000013.00000003.1671389346.000001AB38418000.00000004.00000800.00020000.00000000.sdmp, edb.log.19.dr, qmgr.db.19.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000013.00000003.1671389346.000001AB3844D000.00000004.00000800.00020000.00000000.sdmp, edb.log.19.dr, qmgr.db.19.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000013.00000002.2876220211.000001AB38261000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2876300694.000001AB382D0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2875660734.000001AB33502000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2876079309.000001AB3820F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2293597228.000001AB38142000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2876138784.000001AB3822C000.00000004.00000020.00020000.00000000.sdmp, edb.log.19.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/hhbs2fc5gftn5wsvpbv6ueh5wy_2024.4.30.0/go
Source: svchost.exe, 00000013.00000002.2876300694.000001AB382BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com:80
Source: qmgr.db.19.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: chromecache_60.20.dr String found in binary or memory: http://www.broofa.com
Source: chromecache_72.20.dr String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_72.20.dr String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chromecache_60.20.dr, chromecache_72.20.dr String found in binary or memory: https://apis.google.com
Source: chromecache_59.20.dr String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_72.20.dr String found in binary or memory: https://clients6.google.com
Source: chromecache_72.20.dr String found in binary or memory: https://content.googleapis.com
Source: chromecache_72.20.dr String found in binary or memory: https://csp.withgoogle.com/csp/lcreport/
Source: chromecache_72.20.dr String found in binary or memory: https://domains.google.com/suggest/flow
Source: chromecache_60.20.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_60.20.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_60.20.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_60.20.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: edb.log.19.dr, qmgr.db.19.dr String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.19.dr, qmgr.db.19.dr String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.19.dr, qmgr.db.19.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.19.dr, qmgr.db.19.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: edb.log.19.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: chromecache_75.20.dr String found in binary or memory: https://ogs.google.com/
Source: chromecache_75.20.dr String found in binary or memory: https://ogs.google.com/widget/app/so
Source: edb.log.19.dr, qmgr.db.19.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.19.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: chromecache_60.20.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_72.20.dr String found in binary or memory: https://plus.google.com
Source: chromecache_72.20.dr String found in binary or memory: https://plus.googleapis.com
Source: chromecache_75.20.dr String found in binary or memory: https://ssl.gstatic.com
Source: chromecache_59.20.dr String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_72.20.dr String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: chromecache_59.20.dr String found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: chromecache_72.20.dr String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_72.20.dr String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chromecache_75.20.dr String found in binary or memory: https://www.gstatic.com
Source: chromecache_75.20.dr String found in binary or memory: https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.atEDuNh539g.
Source: chromecache_60.20.dr String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_60.20.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_60.20.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49770 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected Tofsee
Source: Yara match File source: 0.2.OgcktrbHkI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.pspizbvl.exe.2490000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.svchost.exe.cd0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.svchost.exe.cd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.pspizbvl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OgcktrbHkI.exe.1ba0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.pspizbvl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.OgcktrbHkI.exe.1bc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OgcktrbHkI.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.pspizbvl.exe.2490000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.pspizbvl.exe.2330000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.pspizbvl.exe.2310e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1671546746.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1608000419.0000000001BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1653423380.0000000002330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: OgcktrbHkI.exe PID: 6672, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pspizbvl.exe PID: 3156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 6912, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 11.2.pspizbvl.exe.2310e67.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 11.2.pspizbvl.exe.2310e67.1.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 0.2.OgcktrbHkI.exe.1ba0e67.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0.2.OgcktrbHkI.exe.1ba0e67.1.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 0.2.OgcktrbHkI.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0.2.OgcktrbHkI.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 11.2.pspizbvl.exe.2490000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 11.2.pspizbvl.exe.2490000.2.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 0.3.OgcktrbHkI.exe.1bc0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0.3.OgcktrbHkI.exe.1bc0000.0.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 11.3.pspizbvl.exe.2330000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 11.3.pspizbvl.exe.2330000.0.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 13.2.svchost.exe.cd0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 13.2.svchost.exe.cd0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 13.2.svchost.exe.cd0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 13.2.svchost.exe.cd0000.0.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 11.2.pspizbvl.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 11.2.pspizbvl.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 0.2.OgcktrbHkI.exe.1ba0e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0.2.OgcktrbHkI.exe.1ba0e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 11.2.pspizbvl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 11.2.pspizbvl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 0.3.OgcktrbHkI.exe.1bc0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0.3.OgcktrbHkI.exe.1bc0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 0.2.OgcktrbHkI.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0.2.OgcktrbHkI.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 11.2.pspizbvl.exe.2490000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 11.2.pspizbvl.exe.2490000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 11.3.pspizbvl.exe.2330000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 11.3.pspizbvl.exe.2330000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 11.2.pspizbvl.exe.2310e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 11.2.pspizbvl.exe.2310e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofsee Author: ditekSHen
Source: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Tofsee Author: ditekSHen
Source: 00000000.00000002.1671898553.0000000001C1B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000B.00000002.1671546746.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0000000B.00000002.1671546746.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Tofsee Author: ditekSHen
Source: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0000000B.00000002.1671238466.0000000001B45000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects Tofsee Author: ditekSHen
Source: 00000000.00000003.1608000419.0000000001BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 00000000.00000003.1608000419.0000000001BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Tofsee Author: ditekSHen
Source: 0000000B.00000003.1653423380.0000000002330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0000000B.00000003.1653423380.0000000002330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Tofsee Author: ditekSHen
Source: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
Source: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Detects Tofsee Author: ditekSHen
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle, 0_2_00408E26
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError, 0_2_00401280
Creates files inside the system directory
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Windows\SysWOW64\kofydeki\ Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_0040C913 0_2_0040C913
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Code function: 11_2_0040C913 11_2_0040C913
Source: C:\Windows\SysWOW64\svchost.exe Code function: 13_2_00CDC913 13_2_00CDC913
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: String function: 0040EE2A appears 40 times
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: String function: 00402544 appears 53 times
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: String function: 01BA27AB appears 35 times
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3156 -ip 3156
Sample file is different than original file name gathered from version info
Source: OgcktrbHkI.exe, 00000000.00000000.1606556854.00000000019F8000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesFirezer0 vs OgcktrbHkI.exe
Source: OgcktrbHkI.exe, 00000000.00000002.1672013177.0000000001C31000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesFirezer0 vs OgcktrbHkI.exe
Source: OgcktrbHkI.exe Binary or memory string: OriginalFilenamesFirezer0 vs OgcktrbHkI.exe
Uses 32bit PE files
Source: OgcktrbHkI.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 11.2.pspizbvl.exe.2310e67.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 11.2.pspizbvl.exe.2310e67.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0.2.OgcktrbHkI.exe.1ba0e67.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0.2.OgcktrbHkI.exe.1ba0e67.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0.2.OgcktrbHkI.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0.2.OgcktrbHkI.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 11.2.pspizbvl.exe.2490000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 11.2.pspizbvl.exe.2490000.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0.3.OgcktrbHkI.exe.1bc0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0.3.OgcktrbHkI.exe.1bc0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 11.3.pspizbvl.exe.2330000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 11.3.pspizbvl.exe.2330000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 13.2.svchost.exe.cd0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 13.2.svchost.exe.cd0000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 13.2.svchost.exe.cd0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 13.2.svchost.exe.cd0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 11.2.pspizbvl.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 11.2.pspizbvl.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0.2.OgcktrbHkI.exe.1ba0e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0.2.OgcktrbHkI.exe.1ba0e67.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 11.2.pspizbvl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 11.2.pspizbvl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0.3.OgcktrbHkI.exe.1bc0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0.3.OgcktrbHkI.exe.1bc0000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0.2.OgcktrbHkI.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0.2.OgcktrbHkI.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 11.2.pspizbvl.exe.2490000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 11.2.pspizbvl.exe.2490000.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 11.3.pspizbvl.exe.2330000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 11.3.pspizbvl.exe.2330000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 11.2.pspizbvl.exe.2310e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 11.2.pspizbvl.exe.2310e67.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 00000000.00000002.1671898553.0000000001C1B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000B.00000002.1671546746.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0000000B.00000002.1671546746.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0000000B.00000002.1671238466.0000000001B45000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 00000000.00000003.1608000419.0000000001BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 00000000.00000003.1608000419.0000000001BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0000000B.00000003.1653423380.0000000002330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0000000B.00000003.1653423380.0000000002330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
Source: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
Source: classification engine Classification label: mal100.troj.evad.winEXE@51/39@20/12
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError, 0_2_00406A60
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_01C2046B CreateToolhelp32Snapshot,Module32First, 0_2_01C2046B
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 0_2_00409A6B
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 0_2_00409A6B
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Code function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 11_2_00409A6B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 13_2_00CD9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 13_2_00CD9A6B
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7024:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4428:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1436:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:3940:64:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1856:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:7112:64:WilError_03
Source: C:\Users\user\Desktop\OgcktrbHkI.exe File created: C:\Users\user\AppData\Local\Temp\pspizbvl.exe Jump to behavior
Source: OgcktrbHkI.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\OgcktrbHkI.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: OgcktrbHkI.exe Virustotal: Detection: 43%
Source: C:\Users\user\Desktop\OgcktrbHkI.exe File read: C:\Users\user\Desktop\OgcktrbHkI.exe Jump to behavior
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: unknown Process created: C:\Users\user\Desktop\OgcktrbHkI.exe "C:\Users\user\Desktop\OgcktrbHkI.exe"
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kofydeki\
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\pspizbvl.exe" C:\Windows\SysWOW64\kofydeki\
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create kofydeki binPath= "C:\Windows\SysWOW64\kofydeki\pspizbvl.exe /d\"C:\Users\user\Desktop\OgcktrbHkI.exe\"" type= own start= auto DisplayName= "wifi support"
Source: C:\Windows\SysWOW64\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description kofydeki "wifi internet conection"
Source: C:\Windows\SysWOW64\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start kofydeki
Source: C:\Windows\SysWOW64\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe C:\Windows\SysWOW64\kofydeki\pspizbvl.exe /d"C:\Users\user\Desktop\OgcktrbHkI.exe"
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3156 -ip 3156
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6672 -ip 6672
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1976,i,15118944360220751254,1504055466682295701,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 544
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 648
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kofydeki\ Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\pspizbvl.exe" C:\Windows\SysWOW64\kofydeki\ Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create kofydeki binPath= "C:\Windows\SysWOW64\kofydeki\pspizbvl.exe /d\"C:\Users\user\Desktop\OgcktrbHkI.exe\"" type= own start= auto DisplayName= "wifi support" Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description kofydeki "wifi internet conection" Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start kofydeki Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1976,i,15118944360220751254,1504055466682295701,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6672 -ip 6672 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3156 -ip 3156 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 544 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 648 Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ifmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasmontr.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mfc42u.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: authfwcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcmonitor.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3cfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3api.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: onex.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappprxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: hnetmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netshell.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netsetupapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netiohlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: httpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshipsec.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: polstore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winipsec.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshwfp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2pnetsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2p.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rpcnsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: whhelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlancfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlanapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wshelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: peerdistsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wcmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mobilenetworking.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprmsg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wersvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windowsperformancerecordercontrol.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: weretw.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: faultrep.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanagersvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: clipc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\OgcktrbHkI.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: OgcktrbHkI.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Unpacked PE file: 0.2.OgcktrbHkI.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Unpacked PE file: 11.2.pspizbvl.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Unpacked PE file: 0.2.OgcktrbHkI.exe.400000.0.unpack
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Unpacked PE file: 11.2.pspizbvl.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr, 0_2_00406069
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_01C23753 push 0000002Bh; iretd 0_2_01C23759
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_01C1B12B push edi; ret 0_2_01C1B1FA
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_01C1B4B5 push eax; ret 0_2_01C1B4BA
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Code function: 11_2_01B4CDBB push 0000002Bh; iretd 11_2_01B4CDC1

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: unknown Executable created and started: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe
Drops PE files
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\OgcktrbHkI.exe File created: C:\Users\user\AppData\Local\Temp\pspizbvl.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe (copy) Jump to dropped file
Modifies existing windows services
Source: C:\Windows\SysWOW64\svchost.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kofydeki Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 0_2_00409A6B
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create kofydeki binPath= "C:\Windows\SysWOW64\kofydeki\pspizbvl.exe /d\"C:\Users\user\Desktop\OgcktrbHkI.exe\"" type= own start= auto DisplayName= "wifi support"

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\SysWOW64\svchost.exe File deleted: c:\users\user\desktop\ogcktrbhki.exe Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00401000
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Contains functionality to query network adapater information
Source: C:\Windows\SysWOW64\svchost.exe Code function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary, 13_2_00CD199C
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\svchost.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evaded block containing many API calls
Source: C:\Windows\SysWOW64\svchost.exe Evaded block: after key decision
Found evasive API chain (date check)
Source: C:\Windows\SysWOW64\svchost.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Windows\SysWOW64\svchost.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\SysWOW64\svchost.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\OgcktrbHkI.exe API coverage: 5.4 %
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe API coverage: 4.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\svchost.exe TID: 8068 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8068 Thread sleep time: -31000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7304 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount, 0_2_00401D96
Source: svchost.exe, 00000013.00000002.2876176032.000001AB38258000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000D.00000002.2874366057.0000000003200000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
Source: svchost.exe, 00000013.00000002.2875300242.000001AB32C2B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: C:\Users\user\Desktop\OgcktrbHkI.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe API call chain: ExitProcess graph end node

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Debugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleep
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr, 0_2_00406069
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_01BA0D90 mov eax, dword ptr fs:[00000030h] 0_2_01BA0D90
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_01BA092B mov eax, dword ptr fs:[00000030h] 0_2_01BA092B
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_01C1FD48 push dword ptr fs:[00000030h] 0_2_01C1FD48
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Code function: 11_2_01B493B0 push dword ptr fs:[00000030h] 11_2_01B493B0
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Code function: 11_2_0231092B mov eax, dword ptr fs:[00000030h] 11_2_0231092B
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Code function: 11_2_02310D90 mov eax, dword ptr fs:[00000030h] 11_2_02310D90
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap, 0_2_0040EBCC
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 0_2_00409A6B
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Code function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 11_2_00409A6B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 13_2_00CD9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 13_2_00CD9A6B

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 109.107.161.150 443 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 217.69.139.150 25 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 74.125.137.26 25 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 104.47.53.36 25 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 67.195.228.110 25 Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Memory allocated: C:\Windows\SysWOW64\svchost.exe base: CD0000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: CD0000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: CD0000 Jump to behavior
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: AC8008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kofydeki\ Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\pspizbvl.exe" C:\Windows\SysWOW64\kofydeki\ Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create kofydeki binPath= "C:\Windows\SysWOW64\kofydeki\pspizbvl.exe /d\"C:\Users\user\Desktop\OgcktrbHkI.exe\"" type= own start= auto DisplayName= "wifi support" Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description kofydeki "wifi internet conection" Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start kofydeki Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6672 -ip 6672 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3156 -ip 3156 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 544 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 648 Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree, 0_2_00407809
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_00406EDD
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle, 0_2_0040405E
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount, 0_2_0040EC54
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree, 0_2_00407809
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA, 0_2_0040B211
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey, 0_2_00409326

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies the windows firewall
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

Stealing of Sensitive Information
barindex
Yara detected Tofsee
Source: Yara match File source: 0.2.OgcktrbHkI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.pspizbvl.exe.2490000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.svchost.exe.cd0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.svchost.exe.cd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.pspizbvl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OgcktrbHkI.exe.1ba0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.pspizbvl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.OgcktrbHkI.exe.1bc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OgcktrbHkI.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.pspizbvl.exe.2490000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.pspizbvl.exe.2330000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.pspizbvl.exe.2310e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1671546746.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1608000419.0000000001BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1653423380.0000000002330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: OgcktrbHkI.exe PID: 6672, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pspizbvl.exe PID: 3156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 6912, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Tofsee
Source: Yara match File source: 0.2.OgcktrbHkI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.pspizbvl.exe.2490000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.svchost.exe.cd0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.svchost.exe.cd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.pspizbvl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OgcktrbHkI.exe.1ba0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.pspizbvl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.OgcktrbHkI.exe.1bc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OgcktrbHkI.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.pspizbvl.exe.2490000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.pspizbvl.exe.2330000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.pspizbvl.exe.2310e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.2873883444.0000000000CD0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1671546746.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1671439613.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1671514496.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1670084259.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1608000419.0000000001BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1653423380.0000000002330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1669986854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: OgcktrbHkI.exe PID: 6672, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pspizbvl.exe PID: 3156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 6912, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\OgcktrbHkI.exe Code function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname, 0_2_004088B0
Source: C:\Windows\SysWOW64\kofydeki\pspizbvl.exe Code function: 11_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname, 11_2_004088B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 13_2_00CD88B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname, 13_2_00CD88B0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1436353 Sample: OgcktrbHkI.exe Startdate: 04/05/2024 Architecture: WINDOWS Score: 100 56 vanaheim.cn 2->56 58 mta6.am0.yahoodns.net 2->58 60 6 other IPs or domains 2->60 80 Multi AV Scanner detection for domain / URL 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 12 other signatures 2->86 8 pspizbvl.exe 2->8         started        11 OgcktrbHkI.exe 2 2->11         started        14 chrome.exe 1 2->14         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 94 Detected unpacking (changes PE section rights) 8->94 96 Detected unpacking (overwrites its own PE header) 8->96 98 Found API chain indicative of debugger detection 8->98 104 3 other signatures 8->104 19 svchost.exe 1 8->19         started        23 WerFault.exe 2 8->23         started        54 C:\Users\user\AppData\Local\...\pspizbvl.exe, PE32 11->54 dropped 100 Uses netsh to modify the Windows network and firewall settings 11->100 102 Modifies the windows firewall 11->102 25 cmd.exe 1 11->25         started        28 netsh.exe 2 11->28         started        30 cmd.exe 2 11->30         started        38 4 other processes 11->38 74 192.168.2.4, 138, 25, 443 unknown unknown 14->74 76 239.255.255.250 unknown Reserved 14->76 32 chrome.exe 14->32         started        78 127.0.0.1 unknown unknown 17->78 34 WerFault.exe 2 17->34         started        36 WerFault.exe 2 17->36         started        file6 signatures7 process8 dnsIp9 62 mta6.am0.yahoodns.net 67.195.228.110, 25 YAHOO-GQ1US United States 19->62 64 vanaheim.cn 109.107.161.150, 443, 49748, 49765 TELEPORT-TV-ASRU Russian Federation 19->64 70 3 other IPs or domains 19->70 88 System process connects to network (likely due to code injection or exploit) 19->88 90 Deletes itself after installation 19->90 92 Adds extensions / path to Windows Defender exclusion list (Registry) 19->92 52 C:\Windows\SysWOW64\...\pspizbvl.exe (copy), PE32 25->52 dropped 40 conhost.exe 25->40         started        42 conhost.exe 28->42         started        44 conhost.exe 30->44         started        66 plus.l.google.com 142.250.176.14, 443, 49744, 49776 GOOGLEUS United States 32->66 68 play.google.com 142.250.189.14, 443, 49774, 49775 GOOGLEUS United States 32->68 72 4 other IPs or domains 32->72 46 conhost.exe 38->46         started        48 conhost.exe 38->48         started        50 conhost.exe 38->50         started        file10 signatures11 process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
109.107.161.150
 vanaheim.cn Russian Federation
49973 TELEPORT-TV-ASRU true
217.69.139.150
 mxs.mail.ru Russian Federation
47764 MAILRU-ASMailRuRU false
74.125.137.26
 smtp.google.com United States
15169 GOOGLEUS false
104.47.53.36
 microsoft-com.mail.protection.outlook.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
142.250.217.132
 www.google.com United States
15169 GOOGLEUS false
142.250.176.14
 plus.l.google.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
67.195.228.110
 mta6.am0.yahoodns.net United States
36647 YAHOO-GQ1US true
142.250.72.174
 www3.l.google.com United States
15169 GOOGLEUS false
142.250.189.14
 play.google.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.4
127.0.0.1

Contacted Domains

Name IP Active
mta6.am0.yahoodns.net 67.195.228.110 true
mxs.mail.ru 217.69.139.150 true
plus.l.google.com 142.250.176.14 true
www3.l.google.com 142.250.72.174 true
play.google.com 142.250.189.14 true
www.google.com 142.250.217.132 true
microsoft-com.mail.protection.outlook.com 104.47.53.36 true
vanaheim.cn 109.107.161.150 true
smtp.google.com 74.125.137.26 true
google.com unknown unknown
ogs.google.com unknown unknown
yahoo.com unknown unknown
mail.ru unknown unknown
apis.google.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.google.com/async/newtab_promos false
    		high
    https://play.google.com/log?format=json&hasfast=true&authuser=0 false
      		high
      jotunheim.name:443 true
      • URL Reputation: malware
      		 unknown
      https://www.google.com/async/ddljson?async=ntp:2 false
        		high
        https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
          		high
          vanaheim.cn:443 true
          • URL Reputation: malware
          		 unknown
          https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en false
            		high
            https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0 false
              		high
              https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
                		high