Windows Analysis Report BK635636736_BOOKING CONFIRMATION.exe

Overview

General Information

Sample Name: BK635636736_BOOKING CONFIRMATION.exe
Analysis ID: 482251
MD5: da33aac5f666cb19e32c78e1e8ddfeef
SHA1: 7a1c547f1c38b9fe7b3a651787c863d490d294cc
SHA256: 2217f0ae6d8b681ae360e36dd03619b29c17bae98dbca0db4a9723ca0a386d37
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
GuLoader behavior detected
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: BK635636736_BOOKING CONFIRMATION.exe Virustotal: Detection: 26% Perma Link
Source: BK635636736_BOOKING CONFIRMATION.exe ReversingLabs: Detection: 18%

Compliance:

barindex
Uses 32bit PE files
Source: BK635636736_BOOKING CONFIRMATION.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown DNS traffic detected: queries for: jenniferscarscda.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000000.00000002.461454488.000000000069A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Uses 32bit PE files
Source: BK635636736_BOOKING CONFIRMATION.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000000.00000002.461748038.0000000002B70000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamefluor.exeFE2XKareo vs BK635636736_BOOKING CONFIRMATION.exe
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000000.00000002.461353171.0000000000449000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamefluor.exe vs BK635636736_BOOKING CONFIRMATION.exe
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000016.00000000.460434910.0000000000449000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamefluor.exe vs BK635636736_BOOKING CONFIRMATION.exe
Source: BK635636736_BOOKING CONFIRMATION.exe Binary or memory string: OriginalFilenamefluor.exe vs BK635636736_BOOKING CONFIRMATION.exe
PE file contains strange resources
Source: BK635636736_BOOKING CONFIRMATION.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BK635636736_BOOKING CONFIRMATION.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02330F23 0_2_02330F23
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233AFFE 0_2_0233AFFE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02330CBA 0_2_02330CBA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233189E 0_2_0233189E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02330583 0_2_02330583
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023399FB 0_2_023399FB
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233A232 0_2_0233A232
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02340E33 0_2_02340E33
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02332A38 0_2_02332A38
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233663F 0_2_0233663F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02331E3E 0_2_02331E3E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233963C 0_2_0233963C
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339226 0_2_02339226
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339E28 0_2_02339E28
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02332211 0_2_02332211
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02331614 0_2_02331614
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233421F 0_2_0233421F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338E7A 0_2_02338E7A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233167E 0_2_0233167E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339A7C 0_2_02339A7C
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339263 0_2_02339263
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02332662 0_2_02332662
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02341267 0_2_02341267
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02335A66 0_2_02335A66
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233566F 0_2_0233566F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233AE57 0_2_0233AE57
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02334255 0_2_02334255
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233765F 0_2_0233765F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338A43 0_2_02338A43
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233BE44 0_2_0233BE44
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338A4D 0_2_02338A4D
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023312B6 0_2_023312B6
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023342B5 0_2_023342B5
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02340EB2 0_2_02340EB2
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023362BA 0_2_023362BA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338ABA 0_2_02338ABA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338EBD 0_2_02338EBD
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023396BD 0_2_023396BD
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02334E91 0_2_02334E91
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233BE90 0_2_0233BE90
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339E97 0_2_02339E97
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02331E94 0_2_02331E94
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02333A9A 0_2_02333A9A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02336686 0_2_02336686
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02337686 0_2_02337686
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02332A8A 0_2_02332A8A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02331EF7 0_2_02331EF7
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02335EF6 0_2_02335EF6
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023432FE 0_2_023432FE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02332AFE 0_2_02332AFE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339AE6 0_2_02339AE6
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023356EE 0_2_023356EE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023312EC 0_2_023312EC
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023322D3 0_2_023322D3
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023366D3 0_2_023366D3
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023326D0 0_2_023326D0
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02335ADE 0_2_02335ADE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023376DE 0_2_023376DE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023312CE 0_2_023312CE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02335ECD 0_2_02335ECD
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338F20 0_2_02338F20
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02332326 0_2_02332326
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338B2B 0_2_02338B2B
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02335328 0_2_02335328
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233132E 0_2_0233132E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233632E 0_2_0233632E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233BF10 0_2_0233BF10
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233671A 0_2_0233671A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02335776 0_2_02335776
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233837A 0_2_0233837A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233137D 0_2_0233137D
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338F62 0_2_02338F62
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02335367 0_2_02335367
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02335F6A 0_2_02335F6A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02332B6E 0_2_02332B6E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02337756 0_2_02337756
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02331358 0_2_02331358
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233A342 0_2_0233A342
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233FF42 0_2_0233FF42
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023323B2 0_2_023323B2
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02331FB1 0_2_02331FB1
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233BFB9 0_2_0233BFB9
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02341BBA 0_2_02341BBA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023363A2 0_2_023363A2
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338BA7 0_2_02338BA7
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023357A6 0_2_023357A6
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023397AE 0_2_023397AE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02340FAA 0_2_02340FAA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02336792 0_2_02336792
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02343398 0_2_02343398
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339F9F 0_2_02339F9F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02330B9C 0_2_02330B9C
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339382 0_2_02339382
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023383E7 0_2_023383E7
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023313EB 0_2_023313EB
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02340BEF 0_2_02340BEF
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339BD0 0_2_02339BD0
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02330BDB 0_2_02330BDB
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02332BDE 0_2_02332BDE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02335FDE 0_2_02335FDE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023377CA 0_2_023377CA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023327C8 0_2_023327C8
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233B03A 0_2_0233B03A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339023 0_2_02339023
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338C20 0_2_02338C20
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02332C26 0_2_02332C26
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339826 0_2_02339826
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233202F 0_2_0233202F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233241A 0_2_0233241A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233641A 0_2_0233641A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233580E 0_2_0233580E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233987B 0_2_0233987B
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339466 0_2_02339466
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233C86D 0_2_0233C86D
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02331455 0_2_02331455
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339C43 0_2_02339C43
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02332842 0_2_02332842
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02335C42 0_2_02335C42
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02337846 0_2_02337846
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233604E 0_2_0233604E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02335CB2 0_2_02335CB2
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339CB4 0_2_02339CB4
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023320A1 0_2_023320A1
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023390A0 0_2_023390A0
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023328A6 0_2_023328A6
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02332C96 0_2_02332C96
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0234109A 0_2_0234109A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02337481 0_2_02337481
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02335886 0_2_02335886
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02332484 0_2_02332484
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338C8F 0_2_02338C8F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233648E 0_2_0233648E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023304FA 0_2_023304FA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023358FA 0_2_023358FA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023398FF 0_2_023398FF
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02331CE7 0_2_02331CE7
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233A0DA 0_2_0233A0DA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02340CC3 0_2_02340CC3
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023314C8 0_2_023314C8
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02337D33 0_2_02337D33
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02331530 0_2_02331530
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02336136 0_2_02336136
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233AD36 0_2_0233AD36
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338939 0_2_02338939
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233A126 0_2_0233A126
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233912B 0_2_0233912B
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339D1E 0_2_02339D1E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02331102 0_2_02331102
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0234110E 0_2_0234110E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233290E 0_2_0233290E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338D0C 0_2_02338D0C
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02332577 0_2_02332577
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02332976 0_2_02332976
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233657A 0_2_0233657A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0234117E 0_2_0234117E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233757E 0_2_0233757E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338567 0_2_02338567
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339968 0_2_02339968
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233955B 0_2_0233955B
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339DB1 0_2_02339DB1
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023361BE 0_2_023361BE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233A1A1 0_2_0233A1A1
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023391A4 0_2_023391A4
Contains functionality to call native functions
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02330F23 NtWriteVirtualMemory,LoadLibraryA, 0_2_02330F23
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233189E NtWriteVirtualMemory,TerminateProcess,LoadLibraryA, 0_2_0233189E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023431BA NtProtectVirtualMemory, 0_2_023431BA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02330583 NtWriteVirtualMemory, 0_2_02330583
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023399FB NtWriteVirtualMemory,TerminateProcess,CreateFileA,NtAllocateVirtualMemory, 0_2_023399FB
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233A232 NtWriteVirtualMemory, 0_2_0233A232
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233963C NtWriteVirtualMemory, 0_2_0233963C
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339226 NtWriteVirtualMemory, 0_2_02339226
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339E28 NtWriteVirtualMemory, 0_2_02339E28
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233B62D NtAllocateVirtualMemory, 0_2_0233B62D
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233421F NtWriteVirtualMemory, 0_2_0233421F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338E7A NtWriteVirtualMemory, 0_2_02338E7A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339A7C NtWriteVirtualMemory, 0_2_02339A7C
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339263 NtWriteVirtualMemory, 0_2_02339263
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338A43 NtWriteVirtualMemory, 0_2_02338A43
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338A4D NtWriteVirtualMemory, 0_2_02338A4D
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338ABA NtWriteVirtualMemory, 0_2_02338ABA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338EBD NtWriteVirtualMemory, 0_2_02338EBD
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023396BD NtWriteVirtualMemory, 0_2_023396BD
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339E97 NtWriteVirtualMemory, 0_2_02339E97
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233B69E NtAllocateVirtualMemory, 0_2_0233B69E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339AE6 NtWriteVirtualMemory, 0_2_02339AE6
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233A2C2 NtWriteVirtualMemory, 0_2_0233A2C2
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338F20 NtWriteVirtualMemory, 0_2_02338F20
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338B2B NtWriteVirtualMemory, 0_2_02338B2B
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338F62 NtWriteVirtualMemory, 0_2_02338F62
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233A342 NtWriteVirtualMemory, 0_2_0233A342
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233FF42 NtWriteVirtualMemory, 0_2_0233FF42
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338BA7 NtWriteVirtualMemory, 0_2_02338BA7
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023397AE NtWriteVirtualMemory, 0_2_023397AE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339F9F NtWriteVirtualMemory, 0_2_02339F9F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339382 NtWriteVirtualMemory, 0_2_02339382
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233B784 NtAllocateVirtualMemory, 0_2_0233B784
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233B7F9 NtAllocateVirtualMemory, 0_2_0233B7F9
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02340BEF NtWriteVirtualMemory, 0_2_02340BEF
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339BD0 NtWriteVirtualMemory, 0_2_02339BD0
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339023 NtWriteVirtualMemory, 0_2_02339023
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338C20 NtWriteVirtualMemory, 0_2_02338C20
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339826 NtWriteVirtualMemory, 0_2_02339826
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233B876 NtAllocateVirtualMemory, 0_2_0233B876
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233987B NtWriteVirtualMemory, 0_2_0233987B
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339466 NtWriteVirtualMemory, 0_2_02339466
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339C43 NtWriteVirtualMemory, 0_2_02339C43
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339CB4 NtWriteVirtualMemory, 0_2_02339CB4
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023390A0 NtWriteVirtualMemory, 0_2_023390A0
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338C8F NtWriteVirtualMemory, 0_2_02338C8F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023398FF NtWriteVirtualMemory, 0_2_023398FF
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233A0DA NtWriteVirtualMemory, 0_2_0233A0DA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233B532 NtAllocateVirtualMemory, 0_2_0233B532
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233B530 NtAllocateVirtualMemory, 0_2_0233B530
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338939 NtWriteVirtualMemory, 0_2_02338939
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233A126 NtWriteVirtualMemory, 0_2_0233A126
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233912B NtWriteVirtualMemory, 0_2_0233912B
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339D1E NtWriteVirtualMemory, 0_2_02339D1E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02338D0C NtWriteVirtualMemory, 0_2_02338D0C
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233B574 NtAllocateVirtualMemory, 0_2_0233B574
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339968 NtWriteVirtualMemory, 0_2_02339968
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233955B NtWriteVirtualMemory, 0_2_0233955B
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02339DB1 NtWriteVirtualMemory, 0_2_02339DB1
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233A1A1 NtWriteVirtualMemory, 0_2_0233A1A1
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_023391A4 NtWriteVirtualMemory, 0_2_023391A4
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Process Stats: CPU usage > 98%
Source: BK635636736_BOOKING CONFIRMATION.exe Virustotal: Detection: 26%
Source: BK635636736_BOOKING CONFIRMATION.exe ReversingLabs: Detection: 18%
Source: BK635636736_BOOKING CONFIRMATION.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe 'C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe'
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Process created: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe 'C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe'
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Process created: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe 'C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe' Jump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal68.troj.evad.winEXE@3/0@1/1
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Data Obfuscation:

barindex
PE file contains an invalid checksum
Source: BK635636736_BOOKING CONFIRMATION.exe Static PE information: real checksum: 0x7532e should be: 0x7b7a8
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_00403A25 push cs; iretd 0_2_00403A95
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_004076EE push ebp; retf 0_2_004076EF
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 22_2_00561C44 push es; retn 0056h 22_2_00561C45
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 22_2_00561815 push ds; iretd 22_2_005618E9
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 22_2_0056342A push edi; ret 22_2_0056342B
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 22_2_0056708B push FFFFFF97h; ret 22_2_0056708D
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 22_2_0056211A push 94F7E348h; ret 22_2_00562155
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 22_2_00563904 push edx; ret 22_2_00563905
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 22_2_005641C2 push esi; ret 22_2_005641C3
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 22_2_00563DB0 push esp; retn 0056h 22_2_00563DB1
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 22_2_00567A44 push ebp; retn 0056h 22_2_00567AA5
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 22_2_00561E2F push ds; iretd 22_2_00561E8B
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 22_2_005636CC push edx; ret 22_2_0056385D
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 22_2_005662E6 push ebx; ret 22_2_00566275
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 22_2_00567ABC push ebp; retn 0056h 22_2_00567AD9
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 22_2_00565F74 push esi; iretd 22_2_00565F81
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 22_2_00562F73 push edi; ret 22_2_00562F75
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 22_2_00564F6B push edx; ret 22_2_00564F7D
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 22_2_005637C6 push edx; ret 22_2_0056385D
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 22_2_00562B8F push edx; ret 22_2_00562B91
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000000.00000002.461755682.0000000002C70000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000000.00000002.461454488.000000000069A000.00000004.00000020.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02340785 rdtsc 0_2_02340785
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe System information queried: ModuleInformation Jump to behavior
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000000.00000002.461755682.0000000002C70000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000000.00000002.461454488.000000000069A000.00000004.00000020.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233F281 mov eax, dword ptr fs:[00000030h] 0_2_0233F281
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02335ECD mov eax, dword ptr fs:[00000030h] 0_2_02335ECD
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233FF72 mov eax, dword ptr fs:[00000030h] 0_2_0233FF72
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233FF6D mov eax, dword ptr fs:[00000030h] 0_2_0233FF6D
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02341BBA mov eax, dword ptr fs:[00000030h] 0_2_02341BBA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02337481 mov eax, dword ptr fs:[00000030h] 0_2_02337481
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233757E mov eax, dword ptr fs:[00000030h] 0_2_0233757E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233AD4A mov eax, dword ptr fs:[00000030h] 0_2_0233AD4A
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_02340785 rdtsc 0_2_02340785
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Code function: 0_2_0233CFB6 LdrInitializeThunk, 0_2_0233CFB6

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Process created: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe 'C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe' Jump to behavior
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000016.00000002.745686034.0000000000E70000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000016.00000002.745686034.0000000000E70000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000016.00000002.745686034.0000000000E70000.00000002.00020000.sdmp Binary or memory string: Progman
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000016.00000002.745686034.0000000000E70000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe Queries volume information: C:\ VolumeInformation Jump to behavior

Stealing of Sensitive Information:

barindex
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs