Windows Analysis Report gLO4rDsniT

Overview

General Information

Sample Name:	gLO4rDsniT (renamed file extension from none to exe)
Analysis ID:	483687
MD5:	ebcd5648eab5a3214ec61d4bed956a36
SHA1:	b2a43a1489ce76373df3ba5e4ba54172a6cc92f4
SHA256:	bef7f97dcb40fd71e9a9fca6f43389749245f17e7a3092219d20217b8ad8e36a
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Maps a DLL or memory area into another process

Writes to foreign memory regions

Machine Learning detection for sample

Injects a PE file into a foreign processes

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000018.00000002.545104364.0000000001700000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.inboundtechnology.net/b9qq/"], "decoy": ["tmalborz.com", "jiutianbath.com", "yazdir.info", "budget.sucks", "harman-enterprises.com", "kedaidaging.com", "exiteight.com", "urpropertymanager.com", "tomorrowsrider.com", "otlpro.com", "shopfunda.com", "xinhaojc1998.com", "fyqyzs.com", "legal-plaza.net", "bonmarchefr.net", "3bestrehab.com", "riyadhalnarjes.com", "bharateeyaswasrayadarshan.com", "inchingforhelp.com", "lojongdev.com", "jonathanbrowndrums.com", "rongnhonhatban.online", "gelora.site", "shirleyswigsinc.com", "pepsi-vm.com", "lovabubble.com", "wwwburlingtontownshipcourts.com", "findousd.com", "santavitrine.com", "sabaidiver.com", "actionclassiccars.com", "comdevfund.info", "geomasala.com", "leviathanpursuits.net", "fenrirnoise.com", "planeadvisory.com", "goehub.com", "greyriverstay.com", "monikalupaczewska.com", "yournorwegiancourse.com", "xn--hgbque4i.com", "topdex.info", "canvasgoogle.com", "leal-am.com", "peach-dev.finance", "us-phoneprotection.com", "nek.cool", "oraclenailstucson.com", "bloortoqueen.com", "hfhscn.com", "grooveautohacking.com", "getallentownpets.com", "storiesofablonde.com", "assistance-habitation.com", "aandzauto.services", "eating4mentalhealth.com", "getcareerpower.com", "hayokapan.com", "georgestuff.com", "manage-autpypl-account.com", "cjbwxs.com", "goodgly.com", "toptoffee.com", "salonefestival.com"]}

Multi AV Scanner detection for submitted file

Source: gLO4rDsniT.exe	Virustotal: Detection: 32%			Perma Link
Source: gLO4rDsniT.exe	ReversingLabs: Detection: 40%

Yara detected FormBook

Source: Yara match	File source: 24.2.gLO4rDsniT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.gLO4rDsniT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.545335617.0000000001800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.545104364.0000000001700000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.466649182.0000000003B59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.493656809.0000000006740000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.543592754.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.529006238.0000000006740000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.467041262.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.466807357.0000000003BB4000.00000004.00000001.sdmp, type: MEMORY

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Virustotal: Detection: 32%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	ReversingLabs: Detection: 40%

Machine Learning detection for sample

Source: gLO4rDsniT.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 24.2.gLO4rDsniT.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: gLO4rDsniT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: gLO4rDsniT.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: gLO4rDsniT.exe, 00000018.00000002.544829153.00000000014EF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: gLO4rDsniT.exe
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdb source: gLO4rDsniT.exe
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdbSHA256/ source: gLO4rDsniT.exe

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.inboundtechnology.net/b9qq/

Source: gLO4rDsniT.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: gLO4rDsniT.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: gLO4rDsniT.exe	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: gLO4rDsniT.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: gLO4rDsniT.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: gLO4rDsniT.exe	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: gLO4rDsniT.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: gLO4rDsniT.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: gLO4rDsniT.exe	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: gLO4rDsniT.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: gLO4rDsniT.exe	String found in binary or memory: http://james.newtonking.com/projects/json
Source: powershell.exe, 00000006.00000002.375657759.0000000005EB2000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: gLO4rDsniT.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: gLO4rDsniT.exe	String found in binary or memory: http://ocsp.digicert.com0K
Source: gLO4rDsniT.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: gLO4rDsniT.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000006.00000002.371771340.0000000004F92000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: gLO4rDsniT.exe, 00000001.00000002.466072258.0000000002B8C000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.371504237.0000000004E51000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000006.00000002.371771340.0000000004F92000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: gLO4rDsniT.exe, 00000001.00000002.468335884.0000000006C42000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 00000006.00000002.375657759.0000000005EB2000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.375657759.0000000005EB2000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.375657759.0000000005EB2000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.371771340.0000000004F92000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.374276316.00000000056CB000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000006.00000002.375657759.0000000005EB2000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: gLO4rDsniT.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: gLO4rDsniT.exe	String found in binary or memory: https://www.newtonsoft.com/json
Source: gLO4rDsniT.exe	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: gLO4rDsniT.exe	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 24.2.gLO4rDsniT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.gLO4rDsniT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.545335617.0000000001800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.545104364.0000000001700000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.466649182.0000000003B59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.493656809.0000000006740000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.543592754.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.529006238.0000000006740000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.467041262.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.466807357.0000000003BB4000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 24.2.gLO4rDsniT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 24.2.gLO4rDsniT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 24.2.gLO4rDsniT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 24.2.gLO4rDsniT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.545335617.0000000001800000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.545335617.0000000001800000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.545104364.0000000001700000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.545104364.0000000001700000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.466649182.0000000003B59000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.466649182.0000000003B59000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000000.493656809.0000000006740000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000000.493656809.0000000006740000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.543592754.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.543592754.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000002.529006238.0000000006740000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000002.529006238.0000000006740000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.467041262.0000000003C49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.467041262.0000000003C49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.466807357.0000000003BB4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.466807357.0000000003BB4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Uses 32bit PE files

Source: gLO4rDsniT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Yara signature match

Source: 24.2.gLO4rDsniT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 24.2.gLO4rDsniT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 24.2.gLO4rDsniT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 24.2.gLO4rDsniT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.545335617.0000000001800000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.545335617.0000000001800000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.545104364.0000000001700000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.545104364.0000000001700000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.466649182.0000000003B59000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.466649182.0000000003B59000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000000.493656809.0000000006740000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000000.493656809.0000000006740000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.543592754.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.543592754.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000002.529006238.0000000006740000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000002.529006238.0000000006740000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.467041262.0000000003C49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.467041262.0000000003C49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.466807357.0000000003BB4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.466807357.0000000003BB4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Detected potential crypto function

Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Code function: 1_2_07024080	1_2_07024080
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Code function: 1_2_07024070	1_2_07024070
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Code function: 1_2_07025C89	1_2_07025C89
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Code function: 1_2_006F3ECE	1_2_006F3ECE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_04D8CEB8	6_2_04D8CEB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_04D88B58	6_2_04D88B58
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_04D88B4A	6_2_04D88B4A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_04D8DA78	6_2_04D8DA78
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_04D8DA68	6_2_04D8DA68
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_00401030	24_2_00401030
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0041BAC7	24_2_0041BAC7
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0041CBDC	24_2_0041CBDC
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_00408C5C	24_2_00408C5C
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_00408C60	24_2_00408C60
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0041B5E8	24_2_0041B5E8
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_00402D87	24_2_00402D87
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_00402D90	24_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_00402FB0	24_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_013FF900	24_2_013FF900
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01414120	24_2_01414120
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014199BF	24_2_014199BF
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_013F6800	24_2_013F6800
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014B1002	24_2_014B1002
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014CE824	24_2_014CE824
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0141A830	24_2_0141A830
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014C28EC	24_2_014C28EC
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0140B090	24_2_0140B090
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014220A0	24_2_014220A0
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014C20A8	24_2_014C20A8
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0141AB40	24_2_0141AB40
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0149CB4F	24_2_0149CB4F
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01413360	24_2_01413360
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0141A309	24_2_0141A309
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014B231B	24_2_014B231B
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014C2B28	24_2_014C2B28
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014B03DA	24_2_014B03DA
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014BDBD2	24_2_014BDBD2
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0142ABD8	24_2_0142ABD8
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014A23E3	24_2_014A23E3
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01448BE8	24_2_01448BE8
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0149EB8A	24_2_0149EB8A
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0142138B	24_2_0142138B
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0141EB9A	24_2_0141EB9A
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0142EBB0	24_2_0142EBB0
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014AFA2B	24_2_014AFA2B
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0141B236	24_2_0141B236
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014BE2C5	24_2_014BE2C5
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014B4AEF	24_2_014B4AEF
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014C22AE	24_2_014C22AE
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014C32A9	24_2_014C32A9
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01412D50	24_2_01412D50
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014C1D55	24_2_014C1D55
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_013F0D20	24_2_013F0D20
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014C2D07	24_2_014C2D07
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014C25DD	24_2_014C25DD
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0140D5E0	24_2_0140D5E0
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01422581	24_2_01422581
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014B2D82	24_2_014B2D82
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014265A0	24_2_014265A0
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014BD466	24_2_014BD466
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0141B477	24_2_0141B477
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0140841F	24_2_0140841F
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014B4496	24_2_014B4496
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014CDFCE	24_2_014CDFCE
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014B67E2	24_2_014B67E2
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014C1FF1	24_2_014C1FF1
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01415600	24_2_01415600
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014BD616	24_2_014BD616
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_00963ECE	24_2_00963ECE

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: String function: 01485720 appears 65 times
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: String function: 0144D08C appears 41 times
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: String function: 013FB150 appears 154 times

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_004181C0 NtCreateFile,	24_2_004181C0
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_00418270 NtReadFile,	24_2_00418270
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_004182F0 NtClose,	24_2_004182F0
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_004183A0 NtAllocateVirtualMemory,	24_2_004183A0
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_004182EA NtClose,	24_2_004182EA
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0041839D NtAllocateVirtualMemory,	24_2_0041839D
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01439910 NtAdjustPrivilegesToken,LdrInitializeThunk,	24_2_01439910
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014399A0 NtCreateSection,LdrInitializeThunk,	24_2_014399A0
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01439860 NtQuerySystemInformation,LdrInitializeThunk,	24_2_01439860
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01439A50 NtCreateFile,LdrInitializeThunk,	24_2_01439A50
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01439A00 NtProtectVirtualMemory,LdrInitializeThunk,	24_2_01439A00
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014395D0 NtClose,LdrInitializeThunk,	24_2_014395D0
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01439710 NtQueryInformationToken,LdrInitializeThunk,	24_2_01439710
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01439FE0 NtCreateMutant,LdrInitializeThunk,	24_2_01439FE0
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01439780 NtMapViewOfSection,LdrInitializeThunk,	24_2_01439780
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01439660 NtAllocateVirtualMemory,LdrInitializeThunk,	24_2_01439660
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014396E0 NtFreeVirtualMemory,LdrInitializeThunk,	24_2_014396E0
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01439950 NtQueueApcThread,	24_2_01439950
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014399D0 NtCreateProcessEx,	24_2_014399D0
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0143B040 NtSuspendThread,	24_2_0143B040
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01439840 NtDelayExecution,	24_2_01439840
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01439820 NtEnumerateKey,	24_2_01439820
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014398F0 NtReadVirtualMemory,	24_2_014398F0
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014398A0 NtWriteVirtualMemory,	24_2_014398A0
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01439B00 NtSetValueKey,	24_2_01439B00
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0143A3B0 NtGetContextThread,	24_2_0143A3B0
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01439A10 NtQuerySection,	24_2_01439A10
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01439A20 NtResumeThread,	24_2_01439A20
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01439A80 NtOpenDirectoryObject,	24_2_01439A80
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01439540 NtReadFile,	24_2_01439540
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01439560 NtWriteFile,	24_2_01439560
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01439520 NtWaitForSingleObject,	24_2_01439520
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0143AD30 NtSetContextThread,	24_2_0143AD30
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014395F0 NtQueryInformationFile,	24_2_014395F0
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01439760 NtOpenProcess,	24_2_01439760
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0143A770 NtOpenThread,	24_2_0143A770
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01439770 NtSetInformationFile,	24_2_01439770
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0143A710 NtOpenProcessToken,	24_2_0143A710
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01439730 NtQueryVirtualMemory,	24_2_01439730
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_014397A0 NtUnmapViewOfSection,	24_2_014397A0
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01439650 NtQueryValueKey,	24_2_01439650
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01439670 NtQueryInformationProcess,	24_2_01439670
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_01439610 NtEnumerateValueKey,	24_2_01439610

Sample file is different than original file name gathered from version info

Source: gLO4rDsniT.exe	Binary or memory string: OriginalFilename vs gLO4rDsniT.exe
Source: gLO4rDsniT.exe, 00000001.00000002.464892605.0000000001030000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameEldvvwydeqtuviuraf.dllF vs gLO4rDsniT.exe
Source: gLO4rDsniT.exe, 00000001.00000002.463955476.0000000000CA0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameVxddsbqhvdmitgr.dll" vs gLO4rDsniT.exe
Source: gLO4rDsniT.exe, 00000001.00000000.238967806.00000000006F2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs gLO4rDsniT.exe
Source: gLO4rDsniT.exe, 00000001.00000000.238967806.00000000006F2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBEB.exe0 vs gLO4rDsniT.exe
Source: gLO4rDsniT.exe, 00000001.00000002.466492327.0000000002C92000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameclrjit.dllT vs gLO4rDsniT.exe
Source: gLO4rDsniT.exe	Binary or memory string: OriginalFilename vs gLO4rDsniT.exe
Source: gLO4rDsniT.exe, 00000018.00000002.544829153.00000000014EF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs gLO4rDsniT.exe
Source: gLO4rDsniT.exe, 00000018.00000002.543650246.0000000000962000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs gLO4rDsniT.exe
Source: gLO4rDsniT.exe, 00000018.00000002.543650246.0000000000962000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBEB.exe0 vs gLO4rDsniT.exe
Source: gLO4rDsniT.exe	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs gLO4rDsniT.exe
Source: gLO4rDsniT.exe	Binary or memory string: OriginalFilenameBEB.exe0 vs gLO4rDsniT.exe

PE file contains strange resources

Source: gLO4rDsniT.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gLO4rDsniT.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: gLO4rDsniT.exe	Virustotal: Detection: 32%
Source: gLO4rDsniT.exe	ReversingLabs: Detection: 40%

Source: C:\Users\user\Desktop\gLO4rDsniT.exe

File read: C:\Users\user\Desktop\gLO4rDsniT.exe

Source: unknown	Process created: C:\Users\user\Desktop\gLO4rDsniT.exe 'C:\Users\user\Desktop\gLO4rDsniT.exe'
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process created: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process created: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Jump to behavior

Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Code function: 1_2_07027177 push edi; ret	1_2_07027179
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_04D8326F push dword ptr [esp+ecx*2-75h]; ret	6_2_04D83273
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0041612D push esp; ret	24_2_0041612E
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0040F371 push cs; retf	24_2_0040F377
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0041B3B5 push eax; ret	24_2_0041B408
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0041B46C push eax; ret	24_2_0041B472
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0041B402 push eax; ret	24_2_0041B408
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0041B40B push eax; ret	24_2_0041B472
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_00419C9C push eax; iretd	24_2_00419C9D
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Code function: 24_2_0144D0D1 push ecx; ret	24_2_0144D0E4

Source: initial sample	Static PE information: section name: .text entropy: 7.11687874343
Source: initial sample	Static PE information: section name: .text entropy: 7.11687874343

Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\gLO4rDsniT.exe TID: 6312	Thread sleep time: -34000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe TID: 6392	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5432	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6884	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2312			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2041			Jump to behavior

Source: powershell.exe, 00000006.00000002.372800204.0000000005294000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: explorer.exe, 00000019.00000000.478669261.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000019.00000000.478669261.000000000891C000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000019.00000000.469435502.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000019.00000000.497503166.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000019.00000000.472332532.00000000053D7000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000019.00000000.497503166.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: powershell.exe, 00000006.00000002.371771340.0000000004F92000.00000004.00000001.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V

Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Memory written: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Memory written: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\gLO4rDsniT.exe	Memory written: C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe base: C22008	Jump to behavior

Source: explorer.exe, 00000019.00000000.478793677.00000000089FF000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000019.00000002.514938411.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000019.00000002.514938411.0000000001640000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000019.00000000.469199654.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000019.00000002.514938411.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000019.00000002.514938411.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

ID:	483687
Product:	CloudBasic
Start time:	11:35:23
Start date:	15.09.2021
Sample:	gLO4rDsniT
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	ebcd5648eab5a3214ec61d4bed956a36
SHA1:	b2a43a1489ce76373df3ba5e4ba54172a6cc92f4
SHA256:	bef7f97dcb40fd71e9a9fca6f43389749245f17e7a3092219d20217b8ad8e36a
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gLO4rDsniT.exe.log	ASCII text, with CRLF line terminators	3197B1D4714B56F2A6AC9E83761739AE	3B38010F0DF51C1D4D2C020138202DABB686741D	40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	36DE9155D6C265A1DE62A448F3B5B66E	02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3	8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	DEC1CE107BF9A1348958A864D173BC63	F5EFAD01E6074887E7237ABDEA0AC0193D11370C	395FBB79E6D4032BF5E166A1215E89985158E92BF598A3CBC2FED792ED8F1A6A
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fwacnx5e.wgs.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lmgobnyv.q3r.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	EBCD5648EAB5A3214EC61D4BED956A36	B2A43A1489CE76373DF3BA5E4BA54172A6CC92F4	BEF7F97DCB40FD71E9A9FCA6F43389749245F17E7A3092219D20217B8AD8E36A
C:\Users\user\AppData\Local\Temp\gLO4rDsniT.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20210915\PowerShell_transcript.841618.Y+XpuZo3.20210915113633.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	FF931FCCE8FDC4A6F721FFE72FF853C8	D616C4CBEC7C8B55BF38EA18447B1173019A1637	077C0652C040C77E5E578A791540C6AF2B02E48F3500580EFB770C10B41F9560

Windows Analysis Report gLO4rDsniT

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted URLs