Loading ...

Play interactive tourEdit tour

Windows Analysis Report BK635636736_BOOKING CONFIRMATION.exe

Overview

General Information

Sample Name:BK635636736_BOOKING CONFIRMATION.exe
Analysis ID:482251
MD5:da33aac5f666cb19e32c78e1e8ddfeef
SHA1:7a1c547f1c38b9fe7b3a651787c863d490d294cc
SHA256:2217f0ae6d8b681ae360e36dd03619b29c17bae98dbca0db4a9723ca0a386d37
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
GuLoader behavior detected
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: BK635636736_BOOKING CONFIRMATION.exeVirustotal: Detection: 26%Perma Link
Source: BK635636736_BOOKING CONFIRMATION.exeReversingLabs: Detection: 18%
Source: BK635636736_BOOKING CONFIRMATION.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
Source: unknownDNS traffic detected: queries for: jenniferscarscda.com
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000000.00000002.461454488.000000000069A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: BK635636736_BOOKING CONFIRMATION.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000000.00000002.461748038.0000000002B70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefluor.exeFE2XKareo vs BK635636736_BOOKING CONFIRMATION.exe
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000000.00000002.461353171.0000000000449000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamefluor.exe vs BK635636736_BOOKING CONFIRMATION.exe
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000016.00000000.460434910.0000000000449000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamefluor.exe vs BK635636736_BOOKING CONFIRMATION.exe
Source: BK635636736_BOOKING CONFIRMATION.exeBinary or memory string: OriginalFilenamefluor.exe vs BK635636736_BOOKING CONFIRMATION.exe
Source: BK635636736_BOOKING CONFIRMATION.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BK635636736_BOOKING CONFIRMATION.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02330F230_2_02330F23
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233AFFE0_2_0233AFFE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02330CBA0_2_02330CBA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233189E0_2_0233189E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023305830_2_02330583
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023399FB0_2_023399FB
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233A2320_2_0233A232
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02340E330_2_02340E33
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02332A380_2_02332A38
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233663F0_2_0233663F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02331E3E0_2_02331E3E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233963C0_2_0233963C
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023392260_2_02339226
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339E280_2_02339E28
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023322110_2_02332211
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023316140_2_02331614
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233421F0_2_0233421F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338E7A0_2_02338E7A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233167E0_2_0233167E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339A7C0_2_02339A7C
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023392630_2_02339263
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023326620_2_02332662
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023412670_2_02341267
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02335A660_2_02335A66
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233566F0_2_0233566F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233AE570_2_0233AE57
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023342550_2_02334255
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233765F0_2_0233765F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338A430_2_02338A43
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233BE440_2_0233BE44
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338A4D0_2_02338A4D
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023312B60_2_023312B6
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023342B50_2_023342B5
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02340EB20_2_02340EB2
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023362BA0_2_023362BA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338ABA0_2_02338ABA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338EBD0_2_02338EBD
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023396BD0_2_023396BD
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02334E910_2_02334E91
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233BE900_2_0233BE90
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339E970_2_02339E97
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02331E940_2_02331E94
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02333A9A0_2_02333A9A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023366860_2_02336686
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023376860_2_02337686
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02332A8A0_2_02332A8A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02331EF70_2_02331EF7
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02335EF60_2_02335EF6
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023432FE0_2_023432FE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02332AFE0_2_02332AFE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339AE60_2_02339AE6
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023356EE0_2_023356EE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023312EC0_2_023312EC
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023322D30_2_023322D3
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023366D30_2_023366D3
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023326D00_2_023326D0
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02335ADE0_2_02335ADE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023376DE0_2_023376DE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023312CE0_2_023312CE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02335ECD0_2_02335ECD
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338F200_2_02338F20
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023323260_2_02332326
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338B2B0_2_02338B2B
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023353280_2_02335328
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233132E0_2_0233132E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233632E0_2_0233632E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233BF100_2_0233BF10
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233671A0_2_0233671A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023357760_2_02335776
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233837A0_2_0233837A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233137D0_2_0233137D
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338F620_2_02338F62
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023353670_2_02335367
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02335F6A0_2_02335F6A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02332B6E0_2_02332B6E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023377560_2_02337756
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023313580_2_02331358
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233A3420_2_0233A342
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233FF420_2_0233FF42
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023323B20_2_023323B2
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02331FB10_2_02331FB1
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233BFB90_2_0233BFB9
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02341BBA0_2_02341BBA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023363A20_2_023363A2
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338BA70_2_02338BA7
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023357A60_2_023357A6
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023397AE0_2_023397AE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02340FAA0_2_02340FAA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023367920_2_02336792
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023433980_2_02343398
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339F9F0_2_02339F9F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02330B9C0_2_02330B9C
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023393820_2_02339382
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023383E70_2_023383E7
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023313EB0_2_023313EB
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02340BEF0_2_02340BEF
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339BD00_2_02339BD0
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02330BDB0_2_02330BDB
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02332BDE0_2_02332BDE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02335FDE0_2_02335FDE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023377CA0_2_023377CA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023327C80_2_023327C8
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233B03A0_2_0233B03A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023390230_2_02339023
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338C200_2_02338C20
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02332C260_2_02332C26
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023398260_2_02339826
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233202F0_2_0233202F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233241A0_2_0233241A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233641A0_2_0233641A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233580E0_2_0233580E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233987B0_2_0233987B
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023394660_2_02339466
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233C86D0_2_0233C86D
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023314550_2_02331455
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339C430_2_02339C43
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023328420_2_02332842
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02335C420_2_02335C42
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023378460_2_02337846
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233604E0_2_0233604E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02335CB20_2_02335CB2
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339CB40_2_02339CB4
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023320A10_2_023320A1
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023390A00_2_023390A0
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023328A60_2_023328A6
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02332C960_2_02332C96
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0234109A0_2_0234109A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023374810_2_02337481
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023358860_2_02335886
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023324840_2_02332484
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338C8F0_2_02338C8F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233648E0_2_0233648E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023304FA0_2_023304FA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023358FA0_2_023358FA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023398FF0_2_023398FF
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02331CE70_2_02331CE7
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233A0DA0_2_0233A0DA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02340CC30_2_02340CC3
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023314C80_2_023314C8
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02337D330_2_02337D33
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023315300_2_02331530
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023361360_2_02336136
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233AD360_2_0233AD36
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023389390_2_02338939
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233A1260_2_0233A126
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233912B0_2_0233912B
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339D1E0_2_02339D1E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023311020_2_02331102
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0234110E0_2_0234110E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233290E0_2_0233290E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338D0C0_2_02338D0C
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023325770_2_02332577
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023329760_2_02332976
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233657A0_2_0233657A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0234117E0_2_0234117E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233757E0_2_0233757E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023385670_2_02338567
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023399680_2_02339968
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233955B0_2_0233955B
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339DB10_2_02339DB1
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023361BE0_2_023361BE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233A1A10_2_0233A1A1
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023391A40_2_023391A4
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02330F23 NtWriteVirtualMemory,LoadLibraryA,0_2_02330F23
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233189E NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,0_2_0233189E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023431BA NtProtectVirtualMemory,0_2_023431BA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02330583 NtWriteVirtualMemory,0_2_02330583
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023399FB NtWriteVirtualMemory,TerminateProcess,CreateFileA,NtAllocateVirtualMemory,0_2_023399FB
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233A232 NtWriteVirtualMemory,0_2_0233A232
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233963C NtWriteVirtualMemory,0_2_0233963C
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339226 NtWriteVirtualMemory,0_2_02339226
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339E28 NtWriteVirtualMemory,0_2_02339E28
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233B62D NtAllocateVirtualMemory,0_2_0233B62D
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233421F NtWriteVirtualMemory,0_2_0233421F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338E7A NtWriteVirtualMemory,0_2_02338E7A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339A7C NtWriteVirtualMemory,0_2_02339A7C
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339263 NtWriteVirtualMemory,0_2_02339263
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338A43 NtWriteVirtualMemory,0_2_02338A43
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338A4D NtWriteVirtualMemory,0_2_02338A4D
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338ABA NtWriteVirtualMemory,0_2_02338ABA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338EBD NtWriteVirtualMemory,0_2_02338EBD
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023396BD NtWriteVirtualMemory,0_2_023396BD
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339E97 NtWriteVirtualMemory,0_2_02339E97
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233B69E NtAllocateVirtualMemory,0_2_0233B69E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339AE6 NtWriteVirtualMemory,0_2_02339AE6
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233A2C2 NtWriteVirtualMemory,0_2_0233A2C2
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338F20 NtWriteVirtualMemory,0_2_02338F20
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338B2B NtWriteVirtualMemory,0_2_02338B2B
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338F62 NtWriteVirtualMemory,0_2_02338F62
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233A342 NtWriteVirtualMemory,0_2_0233A342
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233FF42 NtWriteVirtualMemory,0_2_0233FF42
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338BA7 NtWriteVirtualMemory,0_2_02338BA7
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023397AE NtWriteVirtualMemory,0_2_023397AE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339F9F NtWriteVirtualMemory,0_2_02339F9F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339382 NtWriteVirtualMemory,0_2_02339382
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233B784 NtAllocateVirtualMemory,0_2_0233B784
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233B7F9 NtAllocateVirtualMemory,0_2_0233B7F9
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02340BEF NtWriteVirtualMemory,0_2_02340BEF
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339BD0 NtWriteVirtualMemory,0_2_02339BD0
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339023 NtWriteVirtualMemory,0_2_02339023
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338C20 NtWriteVirtualMemory,0_2_02338C20
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339826 NtWriteVirtualMemory,0_2_02339826
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233B876 NtAllocateVirtualMemory,0_2_0233B876
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233987B NtWriteVirtualMemory,0_2_0233987B
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339466 NtWriteVirtualMemory,0_2_02339466
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339C43 NtWriteVirtualMemory,0_2_02339C43
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339CB4 NtWriteVirtualMemory,0_2_02339CB4
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023390A0 NtWriteVirtualMemory,0_2_023390A0
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338C8F NtWriteVirtualMemory,0_2_02338C8F
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023398FF NtWriteVirtualMemory,0_2_023398FF
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233A0DA NtWriteVirtualMemory,0_2_0233A0DA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233B532 NtAllocateVirtualMemory,0_2_0233B532
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233B530 NtAllocateVirtualMemory,0_2_0233B530
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338939 NtWriteVirtualMemory,0_2_02338939
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233A126 NtWriteVirtualMemory,0_2_0233A126
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233912B NtWriteVirtualMemory,0_2_0233912B
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339D1E NtWriteVirtualMemory,0_2_02339D1E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02338D0C NtWriteVirtualMemory,0_2_02338D0C
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233B574 NtAllocateVirtualMemory,0_2_0233B574
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339968 NtWriteVirtualMemory,0_2_02339968
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233955B NtWriteVirtualMemory,0_2_0233955B
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02339DB1 NtWriteVirtualMemory,0_2_02339DB1
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233A1A1 NtWriteVirtualMemory,0_2_0233A1A1
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_023391A4 NtWriteVirtualMemory,0_2_023391A4
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeProcess Stats: CPU usage > 98%
Source: BK635636736_BOOKING CONFIRMATION.exeVirustotal: Detection: 26%
Source: BK635636736_BOOKING CONFIRMATION.exeReversingLabs: Detection: 18%
Source: BK635636736_BOOKING CONFIRMATION.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe 'C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe'
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeProcess created: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe 'C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe'
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeProcess created: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe 'C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe' Jump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: classification engineClassification label: mal68.troj.evad.winEXE@3/0@1/1
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: BK635636736_BOOKING CONFIRMATION.exeStatic PE information: real checksum: 0x7532e should be: 0x7b7a8
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_00403A25 push cs; iretd 0_2_00403A95
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_004076EE push ebp; retf 0_2_004076EF
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_00561C44 push es; retn 0056h22_2_00561C45
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_00561815 push ds; iretd 22_2_005618E9
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_0056342A push edi; ret 22_2_0056342B
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_0056708B push FFFFFF97h; ret 22_2_0056708D
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_0056211A push 94F7E348h; ret 22_2_00562155
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_00563904 push edx; ret 22_2_00563905
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_005641C2 push esi; ret 22_2_005641C3
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_00563DB0 push esp; retn 0056h22_2_00563DB1
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_00567A44 push ebp; retn 0056h22_2_00567AA5
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_00561E2F push ds; iretd 22_2_00561E8B
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_005636CC push edx; ret 22_2_0056385D
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_005662E6 push ebx; ret 22_2_00566275
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_00567ABC push ebp; retn 0056h22_2_00567AD9
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_00565F74 push esi; iretd 22_2_00565F81
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_00562F73 push edi; ret 22_2_00562F75
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_00564F6B push edx; ret 22_2_00564F7D
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_005637C6 push edx; ret 22_2_0056385D
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 22_2_00562B8F push edx; ret 22_2_00562B91
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.runShow sources
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000000.00000002.461755682.0000000002C70000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000000.00000002.461454488.000000000069A000.00000004.00000020.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02340785 rdtsc 0_2_02340785
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeSystem information queried: ModuleInformationJump to behavior
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000000.00000002.461755682.0000000002C70000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000000.00000002.461454488.000000000069A000.00000004.00000020.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Hides threads from debuggersShow sources
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233F281 mov eax, dword ptr fs:[00000030h]0_2_0233F281
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02335ECD mov eax, dword ptr fs:[00000030h]0_2_02335ECD
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233FF72 mov eax, dword ptr fs:[00000030h]0_2_0233FF72
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233FF6D mov eax, dword ptr fs:[00000030h]0_2_0233FF6D
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02341BBA mov eax, dword ptr fs:[00000030h]0_2_02341BBA
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02337481 mov eax, dword ptr fs:[00000030h]0_2_02337481
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233757E mov eax, dword ptr fs:[00000030h]0_2_0233757E
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233AD4A mov eax, dword ptr fs:[00000030h]0_2_0233AD4A
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_02340785 rdtsc 0_2_02340785
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeCode function: 0_2_0233CFB6 LdrInitializeThunk,0_2_0233CFB6
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeProcess created: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe 'C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exe' Jump to behavior
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000016.00000002.745686034.0000000000E70000.00000002.00020000.sdmpBinary or memory string: Program Manager
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000016.00000002.745686034.0000000000E70000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000016.00000002.745686034.0000000000E70000.00000002.00020000.sdmpBinary or memory string: Progman
Source: BK635636736_BOOKING CONFIRMATION.exe, 00000016.00000002.745686034.0000000000E70000.00000002.00020000.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\BK635636736_BOOKING CONFIRMATION.exeQueries volume information: C:\ VolumeInformationJump to behavior

Stealing of Sensitive Information:

barindex
GuLoader behavior detectedShow sources
Source: Initial fileSignature Results: GuLoader behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Virtualization/Sandbox Evasion21Input Capture1Security Software Discovery321Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemoryVirtualization/Sandbox Evasion21Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery12Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 482251