Windows Analysis Report PO-003785GMHN.exe

Overview

General Information

Sample Name:	PO-003785GMHN.exe
Analysis ID:	491604
MD5:	4577c41fc896a87df4513f13d29ee65a
SHA1:	38e76942a779e8b04cdf763cf993ceda76d049f2
SHA256:	144fc8c1a922dbb8162d72a94780f8559bbd9e6b1faa9e037fd33e809126b080
Tags:	exexloader
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected FormBook

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Writes to foreign memory regions

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

One or more processes crash

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Entry point lies outside standard sections

PE file contains strange resources

Drops PE files

Checks if the current process is being debugged

Uses reg.exe to modify the Windows registry

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.serpascarnes.com/8iwd/"], "decoy": ["openhousedigitale.com", "helpindia.store", "josiahspicer.com", "wydancer.com", "athinatoday.com", "asiapartnerspoint.com", "freemakechefsrecipes.com", "metrolistingsservices.com", "assarytagged.quest", "ververevival.com", "cjdue.com", "iqmetaverse.com", "sh-spgdk.com", "spacecitybeauty.com", "phasmatoidea.com", "yz1866.com", "tenlog009.xyz", "gameprizes.xyz", "415know.com", "virus-jestock.com", "fmsgmbh.com", "chinaglobalawarenesscodeday.com", "sekailuxe.com", "luvjoyproperties.com", "amandlaparaffin.com", "dreamcenterabq.com", "finestpoints.com", "lbbed.com", "teamgamecocks.club", "fallscreation.com", "365gy.net", "vtprealtor.com", "emailassure.com", "yogiler.com", "ss2196.com", "csntow.com", "lechotamalamona.com", "kingdomofdavid.kiwi", "ismaella.com", "facebooking.club", "adelinesgrill.com", "uzh.biz", "vivimendes.com", "throwpillowco.com", "honestwealthbuilding.com", "inoutinsurance.xyz", "iqvisory.com", "mkbau-quickborn.com", "sellbesty.com", "south1995officiel.com", "austrahe.com", "trancendentalastroshop.store", "gotcookies.net", "meglutenfree.com", "clayexoticsatl.com", "tonerventes.com", "torresflooringdecorllc.com", "mentication.com", "formula-evolution.com", "likethespirit.com", "reddysinfotech.com", "laketappsapartment.com", "yimailg.com", "0kscp.com"]}

Yara detected FormBook

Source: Yara match	File source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.426230701.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.469320228.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.330145483.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.424373441.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.455032727.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.399853067.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.326403501.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.420864858.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.406837359.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.352767592.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.329347583.0000000050481000.00000040.00000001.sdmp, type: MEMORY

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe

ReversingLabs: Detection: 24%

Compliance:

Uses 32bit PE files

Source: PO-003785GMHN.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 64.33.128.70:443 -> 192.168.2.3:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.33.128.70:443 -> 192.168.2.3:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.33.128.70:443 -> 192.168.2.3:49758 version: TLS 1.2

Source:	Binary string: cfgmgr32.pdb& source: WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.335206449.0000000002B84000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp, WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.350996915.0000000002582000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbL source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.335448704.0000000002B7F000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb5o source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb& source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbT source: WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.335001499.0000000002B8A000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: wkscli.pdbk source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp
Source:	Binary string: wkscli.pdb source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp
Source:	Binary string: mobsync.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000011.00000003.335448704.0000000002B7F000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbd source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb< source: WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbd source: WerFault.exe, 00000024.00000003.444746857.0000000003251000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.335001499.0000000002B8A000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb{ source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.335206449.0000000002B84000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdbX source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbB source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb2 source: WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: secinit.pdb source: WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.serpascarnes.com/8iwd/

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758

Source: PO-003785GMHN.exe, 00000001.00000003.290650649.0000000000707000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.351516370.000000000494A000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.451991215.000000000462B000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000002.467838217.0000000002E15000.00000004.00000020.sdmp

String found in binary or memory: http://crl.globalsign.net/root-r2.crl0

Source: unknown

DNS traffic detected: queries for: maxvilletruck.com

Source: global traffic	HTTP traffic detected: GET /errorserverlogrelaapirootterminationloggercongurat/Udffvxubuutfiqkrvfkzhnjdxnhxzvn HTTP/1.1User-Agent: lValiHost: maxvilletruck.com
Source: global traffic	HTTP traffic detected: GET /errorserverlogrelaapirootterminationloggercongurat/Udffvxubuutfiqkrvfkzhnjdxnhxzvn HTTP/1.1User-Agent: asweHost: maxvilletruck.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /errorserverlogrelaapirootterminationloggercongurat/Udffvxubuutfiqkrvfkzhnjdxnhxzvn HTTP/1.1User-Agent: asweHost: maxvilletruck.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /errorserverlogrelaapirootterminationloggercongurat/Udffvxubuutfiqkrvfkzhnjdxnhxzvn HTTP/1.1User-Agent: asweHost: maxvilletruck.comCache-Control: no-cache

Source: unknown	HTTPS traffic detected: 64.33.128.70:443 -> 192.168.2.3:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.33.128.70:443 -> 192.168.2.3:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.33.128.70:443 -> 192.168.2.3:49758 version: TLS 1.2

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.426230701.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.469320228.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.330145483.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.424373441.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.455032727.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.399853067.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.326403501.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.420864858.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.406837359.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.352767592.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.329347583.0000000050481000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000000.426230701.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000022.00000000.426230701.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000002.469320228.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000022.00000002.469320228.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.330145483.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.330145483.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000000.424373441.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000022.00000000.424373441.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.455032727.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000002.455032727.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000000.399853067.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000000.399853067.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.326403501.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.326403501.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000000.420864858.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000022.00000000.420864858.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000000.406837359.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000000.406837359.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.352767592.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.352767592.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.329347583.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.329347583.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Uses 32bit PE files

Source: PO-003785GMHN.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Yara signature match

Source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000000.426230701.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000022.00000000.426230701.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000002.469320228.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000022.00000002.469320228.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.330145483.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.330145483.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000000.424373441.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000022.00000000.424373441.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000002.455032727.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001D.00000002.455032727.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000000.399853067.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001D.00000000.399853067.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.326403501.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.326403501.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000000.420864858.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000022.00000000.420864858.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000000.406837359.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001D.00000000.406837359.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.352767592.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.352767592.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.329347583.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.329347583.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\Public\Libraries\uxvffdU.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019

One or more processes crash

Source: C:\Windows\SysWOW64\mobsync.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 472

Detected potential crypto function

Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 7_2_50481030	7_2_50481030
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 7_2_5049C95C	7_2_5049C95C
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 7_2_50488C80	7_2_50488C80
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 7_2_50482D8C	7_2_50482D8C
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 7_2_50482D90	7_2_50482D90
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 7_2_50482FB0	7_2_50482FB0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_50481030	29_2_50481030
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_5049C95C	29_2_5049C95C
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_5049CBD0	29_2_5049CBD0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_50488C80	29_2_50488C80
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_50482D8C	29_2_50482D8C
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_50482D90	29_2_50482D90
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_50482FB0	29_2_50482FB0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_50481030	34_2_50481030
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_5049C95C	34_2_5049C95C
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_5049CBD0	34_2_5049CBD0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_50488C80	34_2_50488C80
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_50482D8C	34_2_50482D8C
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_50482D90	34_2_50482D90
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_50482FB0	34_2_50482FB0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\mobsync.exe	Code function: String function: 5049A3A0 appears 38 times
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: String function: 5049A4D0 appears 38 times

PE file contains strange resources

Source: PO-003785GMHN.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: PO-003785GMHN.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Udffvxu.exe.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Udffvxu.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f

Source: C:\Users\user\Desktop\PO-003785GMHN.exe

File read: C:\Users\user\Desktop\PO-003785GMHN.exe

Jump to behavior

Source: C:\Users\user\Desktop\PO-003785GMHN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO-003785GMHN.exe 'C:\Users\user\Desktop\PO-003785GMHN.exe'
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\mobsync.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 472
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: C:\Windows\SysWOW64\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe 'C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe'
Source: unknown	Process created: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe 'C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe'
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe
Source: C:\Windows\SysWOW64\mobsync.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 484
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe
Source: C:\Windows\SysWOW64\secinit.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 236
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '	Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe	Jump to behavior

Source: C:\Users\user\Desktop\PO-003785GMHN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO-003785GMHN.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Udffvxubuutfiqkrvfkzhnjdxnhxzvn[1]

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB637.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.winEXE@27/22@3/2

Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6412:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6840:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4908
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6628:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6460:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5368
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6824

Source: C:\Users\user\Desktop\PO-003785GMHN.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '

Source: C:\Users\user\Desktop\PO-003785GMHN.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: cfgmgr32.pdb& source: WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.335206449.0000000002B84000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp, WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.350996915.0000000002582000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbL source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.335448704.0000000002B7F000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb5o source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb& source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbT source: WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.335001499.0000000002B8A000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: wkscli.pdbk source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp
Source:	Binary string: wkscli.pdb source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp
Source:	Binary string: mobsync.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000011.00000003.335448704.0000000002B7F000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbd source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb< source: WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbd source: WerFault.exe, 00000024.00000003.444746857.0000000003251000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.335001499.0000000002B8A000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb{ source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.335206449.0000000002B84000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdbX source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbB source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb2 source: WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: secinit.pdb source: WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 7_2_5049B832 push eax; ret	7_2_5049B838
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 7_2_5049B89C push eax; ret	7_2_5049B8A2
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 7_2_504999A4 push 3788F9D1h; ret	7_2_504999A9
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 7_2_50489294 push ecx; retf	7_2_50489296
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 7_2_50495EC4 push cs; retf	7_2_50495ECB
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_5049B83B push eax; ret	29_2_5049B8A2
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_5049B832 push eax; ret	29_2_5049B838
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_5049B89C push eax; ret	29_2_5049B8A2
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_5049C952 push esi; ret	29_2_5049C954
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_504999A4 push 3788F9D1h; ret	29_2_504999A9
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_50489294 push ecx; retf	29_2_50489296
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_50495EC4 push cs; retf	29_2_50495ECB
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_5049B7E5 push eax; ret	29_2_5049B838
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_5049B83B push eax; ret	34_2_5049B8A2
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_5049B832 push eax; ret	34_2_5049B838
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_5049B89C push eax; ret	34_2_5049B8A2
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_5049C952 push esi; ret	34_2_5049C954
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_504999A4 push 3788F9D1h; ret	34_2_504999A9
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_50489294 push ecx; retf	34_2_50489296
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_50495EC4 push cs; retf	34_2_50495ECB
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_5049B7E5 push eax; ret	34_2_5049B838

PE file contains sections with non-standard names

Source: PO-003785GMHN.exe	Static PE information: section name: .....
Source: PO-003785GMHN.exe	Static PE information: section name: ......
Source: PO-003785GMHN.exe	Static PE information: section name: .....
Source: PO-003785GMHN.exe	Static PE information: section name: ....
Source: PO-003785GMHN.exe	Static PE information: section name: ......
Source: PO-003785GMHN.exe	Static PE information: section name: ....
Source: PO-003785GMHN.exe	Static PE information: section name: ......
Source: PO-003785GMHN.exe	Static PE information: section name: ......
Source: PO-003785GMHN.exe	Static PE information: section name: .....
Source: Udffvxu.exe.1.dr	Static PE information: section name: .....
Source: Udffvxu.exe.1.dr	Static PE information: section name: ......
Source: Udffvxu.exe.1.dr	Static PE information: section name: .....
Source: Udffvxu.exe.1.dr	Static PE information: section name: ....
Source: Udffvxu.exe.1.dr	Static PE information: section name: ......
Source: Udffvxu.exe.1.dr	Static PE information: section name: ....
Source: Udffvxu.exe.1.dr	Static PE information: section name: ......
Source: Udffvxu.exe.1.dr	Static PE information: section name: ......
Source: Udffvxu.exe.1.dr	Static PE information: section name: .....

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: ......

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\PO-003785GMHN.exe

File created: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe

Jump to dropped file

Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Udffvxu			Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Udffvxu			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: icon4828.png

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 7_2_504888C4 rdtsc

7_2_504888C4

Source: WerFault.exe, 0000001F.00000003.447033397.000000000460C000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWigabit Network Connection-WFP 802.3 MAC Layer LightWeight Filter-0000
Source: WerFault.exe, 00000011.00000002.351446266.0000000004920000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.452128030.0000000004661000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000002.467819421.0000000002E0A000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000024.00000002.468210045.0000000004CE0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWh

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 7_2_504888C4 rdtsc

7_2_504888C4

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\mobsync.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\secinit.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 7_2_5048A00E LdrInitializeThunk,

7_2_5048A00E

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 50480000	Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 190000	Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 1A0000	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 50480000	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: E30000	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: E40000	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Memory written: C:\Windows\SysWOW64\secinit.exe base: 50480000	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Memory written: C:\Windows\SysWOW64\secinit.exe base: 790000	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Memory written: C:\Windows\SysWOW64\secinit.exe base: 7A0000	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 50480000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 190000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 1A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 50480000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: E30000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: E40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 50480000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 790000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 7A0000 protect: page execute and read and write	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: 1A0000	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: E40000	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Thread created: C:\Windows\SysWOW64\secinit.exe EIP: 7A0000	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe	Jump to behavior

Source: mobsync.exe, 00000007.00000000.329301564.0000000003270000.00000002.00020000.sdmp, mobsync.exe, 0000001D.00000000.404702268.0000000003600000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: mobsync.exe, 00000007.00000000.329301564.0000000003270000.00000002.00020000.sdmp, mobsync.exe, 0000001D.00000000.404702268.0000000003600000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: mobsync.exe, 00000007.00000000.329301564.0000000003270000.00000002.00020000.sdmp, mobsync.exe, 0000001D.00000000.404702268.0000000003600000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: mobsync.exe, 00000007.00000000.329301564.0000000003270000.00000002.00020000.sdmp, mobsync.exe, 0000001D.00000000.404702268.0000000003600000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.426230701.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.469320228.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.330145483.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.424373441.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.455032727.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.399853067.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.326403501.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.420864858.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.406837359.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.352767592.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.329347583.0000000050481000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.426230701.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.469320228.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.330145483.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.424373441.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.455032727.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.399853067.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.326403501.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.420864858.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.406837359.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.352767592.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.329347583.0000000050481000.00000040.00000001.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
64.33.128.70	maxvilletruck.com	United States		11796	AIRSTREAMCOMM-NETUS	false

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
maxvilletruck.com	64.33.128.70	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.serpascarnes.com/8iwd/	true	Avira URL Cloud: safe	low
https://maxvilletruck.com/errorserverlogrelaapirootterminationloggercongurat/Udffvxubuutfiqkrvfkzhnjdxnhxzvn	false	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp

Yara detected FormBook

Source: Yara match	File source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.426230701.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.469320228.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.330145483.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.424373441.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.455032727.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.399853067.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.326403501.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.420864858.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.406837359.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.352767592.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.329347583.0000000050481000.00000040.00000001.sdmp, type: MEMORY

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe

ReversingLabs: Detection: 24%

Compliance:

Uses 32bit PE files

Source: PO-003785GMHN.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 64.33.128.70:443 -> 192.168.2.3:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.33.128.70:443 -> 192.168.2.3:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.33.128.70:443 -> 192.168.2.3:49758 version: TLS 1.2

Source:	Binary string: cfgmgr32.pdb& source: WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.335206449.0000000002B84000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp, WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.350996915.0000000002582000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbL source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.335448704.0000000002B7F000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb5o source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb& source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbT source: WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.335001499.0000000002B8A000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: wkscli.pdbk source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp
Source:	Binary string: wkscli.pdb source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp
Source:	Binary string: mobsync.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000011.00000003.335448704.0000000002B7F000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbd source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb< source: WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbd source: WerFault.exe, 00000024.00000003.444746857.0000000003251000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.335001499.0000000002B8A000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb{ source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.335206449.0000000002B84000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdbX source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbB source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb2 source: WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: secinit.pdb source: WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.serpascarnes.com/8iwd/

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758

String found in binary or memory: http://crl.globalsign.net/root-r2.crl0

Source: unknown

DNS traffic detected: queries for: maxvilletruck.com

Source: global traffic	HTTP traffic detected: GET /errorserverlogrelaapirootterminationloggercongurat/Udffvxubuutfiqkrvfkzhnjdxnhxzvn HTTP/1.1User-Agent: lValiHost: maxvilletruck.com
Source: global traffic	HTTP traffic detected: GET /errorserverlogrelaapirootterminationloggercongurat/Udffvxubuutfiqkrvfkzhnjdxnhxzvn HTTP/1.1User-Agent: asweHost: maxvilletruck.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /errorserverlogrelaapirootterminationloggercongurat/Udffvxubuutfiqkrvfkzhnjdxnhxzvn HTTP/1.1User-Agent: asweHost: maxvilletruck.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /errorserverlogrelaapirootterminationloggercongurat/Udffvxubuutfiqkrvfkzhnjdxnhxzvn HTTP/1.1User-Agent: asweHost: maxvilletruck.comCache-Control: no-cache

Source: unknown	HTTPS traffic detected: 64.33.128.70:443 -> 192.168.2.3:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.33.128.70:443 -> 192.168.2.3:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.33.128.70:443 -> 192.168.2.3:49758 version: TLS 1.2

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.426230701.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.469320228.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.330145483.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.424373441.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.455032727.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.399853067.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.326403501.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.420864858.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.406837359.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.352767592.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.329347583.0000000050481000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000000.426230701.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000022.00000000.426230701.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000002.469320228.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000022.00000002.469320228.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.330145483.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.330145483.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000000.424373441.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000022.00000000.424373441.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.455032727.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000002.455032727.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000000.399853067.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000000.399853067.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.326403501.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.326403501.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000000.420864858.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000022.00000000.420864858.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000000.406837359.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000000.406837359.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.352767592.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.352767592.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.329347583.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.329347583.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Uses 32bit PE files

Source: PO-003785GMHN.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Yara signature match

Source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000000.426230701.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000022.00000000.426230701.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000002.469320228.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000022.00000002.469320228.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.330145483.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.330145483.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000000.424373441.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000022.00000000.424373441.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000002.455032727.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001D.00000002.455032727.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000000.399853067.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001D.00000000.399853067.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.326403501.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.326403501.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000000.420864858.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000022.00000000.420864858.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000000.406837359.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001D.00000000.406837359.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.352767592.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.352767592.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.329347583.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.329347583.0000000050481000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\Public\Libraries\uxvffdU.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019

One or more processes crash

Source: C:\Windows\SysWOW64\mobsync.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 472

Detected potential crypto function

Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 7_2_50481030	7_2_50481030
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 7_2_5049C95C	7_2_5049C95C
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 7_2_50488C80	7_2_50488C80
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 7_2_50482D8C	7_2_50482D8C
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 7_2_50482D90	7_2_50482D90
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 7_2_50482FB0	7_2_50482FB0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_50481030	29_2_50481030
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_5049C95C	29_2_5049C95C
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_5049CBD0	29_2_5049CBD0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_50488C80	29_2_50488C80
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_50482D8C	29_2_50482D8C
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_50482D90	29_2_50482D90
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_50482FB0	29_2_50482FB0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_50481030	34_2_50481030
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_5049C95C	34_2_5049C95C
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_5049CBD0	34_2_5049CBD0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_50488C80	34_2_50488C80
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_50482D8C	34_2_50482D8C
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_50482D90	34_2_50482D90
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_50482FB0	34_2_50482FB0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\mobsync.exe	Code function: String function: 5049A3A0 appears 38 times
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: String function: 5049A4D0 appears 38 times

PE file contains strange resources

Source: PO-003785GMHN.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: PO-003785GMHN.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Udffvxu.exe.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Udffvxu.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f

Source: C:\Users\user\Desktop\PO-003785GMHN.exe

File read: C:\Users\user\Desktop\PO-003785GMHN.exe

Jump to behavior

Source: C:\Users\user\Desktop\PO-003785GMHN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO-003785GMHN.exe 'C:\Users\user\Desktop\PO-003785GMHN.exe'
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\mobsync.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 472
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: C:\Windows\SysWOW64\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe 'C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe'
Source: unknown	Process created: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe 'C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe'
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe
Source: C:\Windows\SysWOW64\mobsync.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 484
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe
Source: C:\Windows\SysWOW64\secinit.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 236
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '	Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe	Jump to behavior

Source: C:\Users\user\Desktop\PO-003785GMHN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO-003785GMHN.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Udffvxubuutfiqkrvfkzhnjdxnhxzvn[1]

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB637.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.winEXE@27/22@3/2

Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6412:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6840:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4908
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6628:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6460:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5368
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6824

Source: C:\Users\user\Desktop\PO-003785GMHN.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '

Source: C:\Users\user\Desktop\PO-003785GMHN.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: cfgmgr32.pdb& source: WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.335206449.0000000002B84000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp, WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.350996915.0000000002582000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbL source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.335448704.0000000002B7F000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb5o source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb& source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbT source: WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.335001499.0000000002B8A000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: wkscli.pdbk source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp
Source:	Binary string: wkscli.pdb source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp
Source:	Binary string: mobsync.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000011.00000003.335448704.0000000002B7F000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbd source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb< source: WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbd source: WerFault.exe, 00000024.00000003.444746857.0000000003251000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.335001499.0000000002B8A000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb{ source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.335206449.0000000002B84000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdbX source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbB source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb2 source: WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp
Source:	Binary string: secinit.pdb source: WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 7_2_5049B832 push eax; ret	7_2_5049B838
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 7_2_5049B89C push eax; ret	7_2_5049B8A2
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 7_2_504999A4 push 3788F9D1h; ret	7_2_504999A9
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 7_2_50489294 push ecx; retf	7_2_50489296
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 7_2_50495EC4 push cs; retf	7_2_50495ECB
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_5049B83B push eax; ret	29_2_5049B8A2
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_5049B832 push eax; ret	29_2_5049B838
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_5049B89C push eax; ret	29_2_5049B8A2
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_5049C952 push esi; ret	29_2_5049C954
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_504999A4 push 3788F9D1h; ret	29_2_504999A9
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_50489294 push ecx; retf	29_2_50489296
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_50495EC4 push cs; retf	29_2_50495ECB
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 29_2_5049B7E5 push eax; ret	29_2_5049B838
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_5049B83B push eax; ret	34_2_5049B8A2
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_5049B832 push eax; ret	34_2_5049B838
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_5049B89C push eax; ret	34_2_5049B8A2
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_5049C952 push esi; ret	34_2_5049C954
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_504999A4 push 3788F9D1h; ret	34_2_504999A9
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_50489294 push ecx; retf	34_2_50489296
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_50495EC4 push cs; retf	34_2_50495ECB
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 34_2_5049B7E5 push eax; ret	34_2_5049B838

PE file contains sections with non-standard names

Source: PO-003785GMHN.exe	Static PE information: section name: .....
Source: PO-003785GMHN.exe	Static PE information: section name: ......
Source: PO-003785GMHN.exe	Static PE information: section name: .....
Source: PO-003785GMHN.exe	Static PE information: section name: ....
Source: PO-003785GMHN.exe	Static PE information: section name: ......
Source: PO-003785GMHN.exe	Static PE information: section name: ....
Source: PO-003785GMHN.exe	Static PE information: section name: ......
Source: PO-003785GMHN.exe	Static PE information: section name: ......
Source: PO-003785GMHN.exe	Static PE information: section name: .....
Source: Udffvxu.exe.1.dr	Static PE information: section name: .....
Source: Udffvxu.exe.1.dr	Static PE information: section name: ......
Source: Udffvxu.exe.1.dr	Static PE information: section name: .....
Source: Udffvxu.exe.1.dr	Static PE information: section name: ....
Source: Udffvxu.exe.1.dr	Static PE information: section name: ......
Source: Udffvxu.exe.1.dr	Static PE information: section name: ....
Source: Udffvxu.exe.1.dr	Static PE information: section name: ......
Source: Udffvxu.exe.1.dr	Static PE information: section name: ......
Source: Udffvxu.exe.1.dr	Static PE information: section name: .....

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: ......

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\PO-003785GMHN.exe

File created: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe

Jump to dropped file

Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Udffvxu			Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Udffvxu			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: icon4828.png

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 7_2_504888C4 rdtsc

7_2_504888C4

Source: WerFault.exe, 0000001F.00000003.447033397.000000000460C000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWigabit Network Connection-WFP 802.3 MAC Layer LightWeight Filter-0000
Source: WerFault.exe, 00000011.00000002.351446266.0000000004920000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.452128030.0000000004661000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000002.467819421.0000000002E0A000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000024.00000002.468210045.0000000004CE0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWh

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 7_2_504888C4 rdtsc

7_2_504888C4

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\mobsync.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\secinit.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 7_2_5048A00E LdrInitializeThunk,

7_2_5048A00E

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 50480000	Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 190000	Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 1A0000	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 50480000	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: E30000	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: E40000	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Memory written: C:\Windows\SysWOW64\secinit.exe base: 50480000	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Memory written: C:\Windows\SysWOW64\secinit.exe base: 790000	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Memory written: C:\Windows\SysWOW64\secinit.exe base: 7A0000	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 50480000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 190000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 1A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 50480000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: E30000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: E40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 50480000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 790000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 7A0000 protect: page execute and read and write	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: 1A0000	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: E40000	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Thread created: C:\Windows\SysWOW64\secinit.exe EIP: 7A0000	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PO-003785GMHN.exe	Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe	Jump to behavior

Source: mobsync.exe, 00000007.00000000.329301564.0000000003270000.00000002.00020000.sdmp, mobsync.exe, 0000001D.00000000.404702268.0000000003600000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: mobsync.exe, 00000007.00000000.329301564.0000000003270000.00000002.00020000.sdmp, mobsync.exe, 0000001D.00000000.404702268.0000000003600000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: mobsync.exe, 00000007.00000000.329301564.0000000003270000.00000002.00020000.sdmp, mobsync.exe, 0000001D.00000000.404702268.0000000003600000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: mobsync.exe, 00000007.00000000.329301564.0000000003270000.00000002.00020000.sdmp, mobsync.exe, 0000001D.00000000.404702268.0000000003600000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.426230701.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.469320228.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.330145483.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.424373441.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.455032727.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.399853067.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.326403501.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.420864858.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.406837359.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.352767592.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.329347583.0000000050481000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.426230701.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.469320228.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.330145483.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.424373441.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.455032727.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.399853067.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.326403501.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.420864858.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.406837359.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.352767592.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.329347583.0000000050481000.00000040.00000001.sdmp, type: MEMORY

ID:	491604
Product:	CloudBasic
Start time:	18:33:38
Start date:	27.09.2021
Sample:	PO-003785GMHN.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	4577c41fc896a87df4513f13d29ee65a
SHA1:	38e76942a779e8b04cdf763cf993ceda76d049f2
SHA256:	144fc8c1a922dbb8162d72a94780f8559bbd9e6b1faa9e037fd33e809126b080
Filetype:	Win32 Executable (generic) a (10002005/4) 99.94%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_mobsync.exe_6bcc80c01b68d7a1856c1d36a5714599ce5c4b73_cdf4f12b_160ff6b6\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	BD54F2AA59C3A5AF1C669D35FD3E56AD	71AC178446251C9CB5B3B3A16F79834FEB82AE65	4A2B04B2D246AB3ED0F5034C1E2D6E5D6EC219F86212ADC9CC996F19EB4BE540
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_mobsync.exe_6bcc80c01b68d7a1856c1d36a5714599ce5c4b73_cdf4f12b_1bcb442f\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	A22A16F14C85A44741326D7369C07FC5	0707A4516712D9CF7ED8C8D85EA8FCCFF068CB48	74BBE36096EFD3621DC4DBCC15058CCC3B3C673187C0CA0EC97D22110A6AA9B4
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_secinit.exe_f56c6123434aae7f359d957692c7683f1aa80c_b4caafd3_153417da\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	94567AF14916744F7A01E31699BD8829	C780676198124ED4D2961C540B63C74B1F5C5A82	496F585243EE47666046CAE09D1FBF838ECD8DB68BB1D4CCA6F3625895E103B3
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A88.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Sep 28 01:35:36 2021, 0x1205a4 type	5AEBD046086DCCDD467DC428A29492A1	ED9A9E1A3F02BC5254C4D4BF8843E37F515EF55D	93D585053B59D90FA47ADCCF8F896E62FAAC0DD96E9896471FE065806148C59E
C:\ProgramData\Microsoft\Windows\WER\Temp\WER54E9.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	01184412678DE999371E01E0F1F30D85	9A77C664FD7C1DF8BBF62A6733120508B635A7E1	2424D069B31E9BC90A5DA7537F9016A82F1F6320102AA09AC2BE823AEFCCBEBA
C:\ProgramData\Microsoft\Windows\WER\Temp\WER593F.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	35725CD4E7E8D6F20B0DD2BB52E43E4C	BFB226D2611B9705B5BA3A5A3DF370566ADB3F6F	C589A10336034D3099C3D018031FB52460057D8D0E641742FB7E0A46A04A7379
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7438.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Sep 28 01:35:47 2021, 0x1205a4 type	2358F727D880604F3B65BD2B62CD704D	22C9BCB14A327B5EBB4F1F072C02BD0FD4B7F43D	48DD1FAE4B9F98EEEAB129401B3C065F5A6C524DFC07D981F31192804A18399D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CA5.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	603B6FB83948E22F1A6D3217201CDB12	16393B6EC1D1C8AC5AE079893324C8D37AC3E2ED	A494E4BC91A2F9D067BB28E03F0616B930228807B2067E545BCF7B25951115B2
C:\ProgramData\Microsoft\Windows\WER\Temp\WER82B1.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	B5E8F33EB538DB67FC50287D89802341	85AC55AA48E890A69C4B2D08AF8CA116EF066EAC	E4D174674B7D312C46C65B73B1D6780CC8C86755B505EA22C194ACB438007608
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB637.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Sep 28 01:34:58 2021, 0x1205a4 type	D8955BC2572659B3452164894296C61E	7110572E4CF5F298DEB5E89E17C435A95FE50687	AA2168998438AFF8948B7E956DFCCA46B5EE0BBF49B96E9B262499F73BB4E123
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC14.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	51944542525F00E7C1E3446CC19C1827	5FE1F75E164CF596F07A5C2B43BCBD25EBBF4DB8	06B3B714BBAD5A97A5D0AB23D8CBF38AC4616A0981D31A482734DA140EE5333D
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0C8.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	110A2E4269E651F62FE6D09C428A3C4F	9E59FD6478A3B618D5EAD1AE0A66A79F99FE47D1	831EB96082D2F0190111E1ED8CE821E25F68D52599DF6DB58DDAC71ECB8A6D46
C:\Users\Public\KDECO.bat	ASCII text, with no line terminators	213C60ADF1C9EF88DC3C9B2D579959D2	E4D2AD7B22B1A8B5B1F7A702B303C7364B0EE021	37C59C8398279916CFCE45F8C5E3431058248F5E3BEF4D9F5C0F44A7D564F82E
C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe	PE32 executable (GUI) Intel 80386, for MS Windows	4577C41FC896A87DF4513F13D29EE65A	38E76942A779E8B04CDF763CF993CEDA76D049F2	144FC8C1A922DBB8162D72A94780F8559BBD9E6B1FAA9E037FD33E809126B080
C:\Users\Public\Libraries\uxvffdU.url	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Udffvxu\\Udffvxu.exe">), ASCII text, with CRLF line terminators	1EA79767A9D38BB92294433C56CBB4DA	5478CEAF493DB9CD5126C33292EA78CFF76A4623	FE848DB8F7FFC14387058C513F4A795B59970D992006B8602D8A27D65DE0B4A9
C:\Users\Public\Trast.bat	ASCII text, with no line terminators	4068C9F69FCD8A171C67F81D4A952A54	4D2536A8C28CDCC17465E20D6693FB9E8E713B36	24222300C78180B50ED1F8361BA63CB27316EC994C1C9079708A51B4A1A9D810
C:\Users\Public\UKO.bat	ASCII text, with CRLF line terminators	EAF8D967454C3BBDDBF2E05A421411F8	6170880409B24DE75C2DC3D56A506FBFF7F6622C	F35F2658455A2E40F151549A7D6465A836C33FA9109E67623916F889849EAC56
C:\Users\Public\nest	ASCII text, with CRLF line terminators	2E18BC987D1729AE549ECED0611B61DA	79A360067C5589AFA94C4792898B3FF9320D5170	2411791A0EC8BE36B9AC98B127F7458DC0CB132D9471DE6E93AF742B34986F27
C:\Users\Public\nest.bat	ASCII text, with CRLF line terminators	8ADA51400B7915DE2124BAAF75E3414C	1A7B9DB12184AB7FD7FCE1C383F9670A00ADB081	45AA3957C29865260A78F03EEF18AE9AEBDBF7BEA751ECC88BE4A799F2BB46C7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Udffvxubuutfiqkrvfkzhnjdxnhxzvn[1]	data	680AD178FAEE835FCB51006F9C5D3937	50B58FFB28C9D0A33A10C8FFC9657524A750E72D	C5D3282B4668F33B8C04B1B7844DF4B4E43FA7B22DD646DB3C45BD4A3DCB7A44
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Udffvxubuutfiqkrvfkzhnjdxnhxzvn[1]	data	680AD178FAEE835FCB51006F9C5D3937	50B58FFB28C9D0A33A10C8FFC9657524A750E72D	C5D3282B4668F33B8C04B1B7844DF4B4E43FA7B22DD646DB3C45BD4A3DCB7A44
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Udffvxubuutfiqkrvfkzhnjdxnhxzvn[2]	data	680AD178FAEE835FCB51006F9C5D3937	50B58FFB28C9D0A33A10C8FFC9657524A750E72D	C5D3282B4668F33B8C04B1B7844DF4B4E43FA7B22DD646DB3C45BD4A3DCB7A44

Windows Analysis Report PO-003785GMHN.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs