Windows Analysis Report K9jgh4owKk.exe

AV Detection:

Found malware configuration

Source: 0.2.K9jgh4owKk.exe.400000.0.unpack

Malware Configuration Extractor: Dridex {"Version": 10111, "C2 list": ["103.9.36.172:443", "103.70.29.126:593", "46.101.175.170:10172"], "RC4 keys": ["CisvU52kuCqMOp5DJVJjX7NpSOgbFn5Z", "BuEjfhtq8TjhQNb5njPJFUKys2hxPATu0lv0D3Dehj6DP2DBu0bINeCHPnMKWBGwRiks5KDBnA"]}

Multi AV Scanner detection for submitted file

Source: K9jgh4owKk.exe	Virustotal: Detection: 60%			Perma Link
Source: K9jgh4owKk.exe	Metadefender: Detection: 25%			Perma Link
Source: K9jgh4owKk.exe	ReversingLabs: Detection: 60%

Antivirus / Scanner detection for submitted sample

Source: K9jgh4owKk.exe

Avira: detected

Machine Learning detection for sample

Source: K9jgh4owKk.exe

Joe Sandbox ML: detected

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\K9jgh4owKk.exe

Unpacked PE file: 0.2.K9jgh4owKk.exe.400000.0.unpack

Uses 32bit PE files

Source: K9jgh4owKk.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 103.9.36.172:443 -> 192.168.2.7:49757 version: TLS 1.2

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\K9jgh4owKk.exe

Code function: 0_2_0042CEF8 FindFirstFileExW,

0_2_0042CEF8

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 103.9.36.172:443
Source: Malware configuration extractor	IPs: 103.70.29.126:593
Source: Malware configuration extractor	IPs: 46.101.175.170:10172

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.7:49758 -> 103.70.29.126:593
Source: global traffic	TCP traffic: 192.168.2.7:49760 -> 46.101.175.170:10172

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:51:19 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:51:23 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:51:27 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:51:30 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:51:33 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:51:37 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:51:40 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:51:43 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:51:47 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:51:51 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:51:55 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:51:58 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:52:01 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:52:04 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:52:08 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:52:11 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:52:14 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:52:17 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:52:20 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:52:23 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:52:26 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:52:30 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:52:33 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:52:36 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:52:39 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:52:42 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:52:45 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:52:49 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:52:52 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:52:55 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:52:58 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:53:01 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:53:04 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:53:07 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:53:10 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:53:14 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.0.15Date: Fri, 31 Dec 2021 08:53:17 GMTContent-Type: text/plain; charset=utf-8Connection: close

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 103.9.36.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.9.36.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.9.36.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.9.36.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.9.36.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.9.36.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.9.36.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.9.36.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.9.36.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.9.36.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.9.36.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.70.29.126
Source: unknown	TCP traffic detected without corresponding DNS query: 103.70.29.126
Source: unknown	TCP traffic detected without corresponding DNS query: 103.70.29.126
Source: unknown	TCP traffic detected without corresponding DNS query: 103.70.29.126
Source: unknown	TCP traffic detected without corresponding DNS query: 103.70.29.126
Source: unknown	TCP traffic detected without corresponding DNS query: 103.70.29.126
Source: unknown	TCP traffic detected without corresponding DNS query: 103.70.29.126
Source: unknown	TCP traffic detected without corresponding DNS query: 103.70.29.126
Source: unknown	TCP traffic detected without corresponding DNS query: 103.70.29.126
Source: unknown	TCP traffic detected without corresponding DNS query: 103.70.29.126
Source: unknown	TCP traffic detected without corresponding DNS query: 103.70.29.126
Source: unknown	TCP traffic detected without corresponding DNS query: 103.70.29.126
Source: unknown	TCP traffic detected without corresponding DNS query: 46.101.175.170
Source: unknown	TCP traffic detected without corresponding DNS query: 46.101.175.170
Source: unknown	TCP traffic detected without corresponding DNS query: 46.101.175.170
Source: unknown	TCP traffic detected without corresponding DNS query: 46.101.175.170
Source: unknown	TCP traffic detected without corresponding DNS query: 46.101.175.170
Source: unknown	TCP traffic detected without corresponding DNS query: 46.101.175.170
Source: unknown	TCP traffic detected without corresponding DNS query: 46.101.175.170
Source: unknown	TCP traffic detected without corresponding DNS query: 46.101.175.170
Source: unknown	TCP traffic detected without corresponding DNS query: 46.101.175.170
Source: unknown	TCP traffic detected without corresponding DNS query: 46.101.175.170
Source: unknown	TCP traffic detected without corresponding DNS query: 46.101.175.170
Source: unknown	TCP traffic detected without corresponding DNS query: 103.9.36.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.9.36.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.9.36.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.9.36.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.9.36.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.9.36.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.9.36.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.9.36.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.9.36.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.9.36.172
Source: unknown	TCP traffic detected without corresponding DNS query: 103.70.29.126
Source: unknown	TCP traffic detected without corresponding DNS query: 103.70.29.126
Source: unknown	TCP traffic detected without corresponding DNS query: 103.70.29.126
Source: unknown	TCP traffic detected without corresponding DNS query: 103.70.29.126
Source: unknown	TCP traffic detected without corresponding DNS query: 103.70.29.126
Source: unknown	TCP traffic detected without corresponding DNS query: 103.70.29.126

URLs found in memory or binary data

Source: K9jgh4owKk.exe, 00000000.00000003.282622361.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.498833996.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.396193564.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.255513353.000000000082B000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.356858095.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.257742677.000000000082B000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.249960607.000000000082D000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.463782631.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.269005674.000000000082B000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000002.511479825.0000000000827000.00000004.00000020.sdmp, K9jgh4owKk.exe, 00000000.00000003.251751071.000000000082D000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.338303234.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.261873587.000000000082B000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.403679166.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.430727069.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.476796082.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.349116394.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.313585698.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.275885215.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.483986043.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.437511417.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.506063959.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.253117743.000000000082D000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.268971889.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.297499247.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.261835900.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.342357782.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.304411755.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.335027531.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.328384567.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.257700106.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.255628194.000000000082C000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.444196322.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.491107772.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: K9jgh4owKk.exe, 00000000.00000003.254942420.00000000030CE000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: K9jgh4owKk.exe, 00000000.00000003.254942420.00000000030CE000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/#4
Source: K9jgh4owKk.exe, 00000000.00000003.254942420.00000000030CE000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/14h)1
Source: K9jgh4owKk.exe, 00000000.00000003.282622361.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.498833996.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.396193564.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.255513353.000000000082B000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.356858095.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.257742677.000000000082B000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.463782631.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.269005674.000000000082B000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000002.511479825.0000000000827000.00000004.00000020.sdmp, K9jgh4owKk.exe, 00000000.00000003.338303234.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.261873587.000000000082B000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.403679166.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.430727069.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.476796082.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.349116394.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.313585698.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.275885215.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.483986043.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.437511417.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.506063959.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.253117743.000000000082D000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.268971889.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.297499247.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.261835900.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.342357782.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.304411755.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.335027531.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.328384567.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.257700106.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.255628194.000000000082C000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.444196322.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.491107772.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: K9jgh4owKk.exe, 00000000.00000003.282622361.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.498833996.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.396193564.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.356858095.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.463782631.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000002.511479825.0000000000827000.00000004.00000020.sdmp, K9jgh4owKk.exe, 00000000.00000003.338303234.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.403679166.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.430727069.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.476796082.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.349116394.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.313585698.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.275885215.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.483986043.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.437511417.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.506063959.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.268971889.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.297499247.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.261835900.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.342357782.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.304411755.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.335027531.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.328384567.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.257700106.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.444196322.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.491107772.0000000000827000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: K9jgh4owKk.exe, 00000000.00000003.254942420.00000000030CE000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.254958778.00000000030D7000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?778b81b82bb2c
Source: K9jgh4owKk.exe, 00000000.00000003.282622361.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.498833996.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.396193564.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.255513353.000000000082B000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.356858095.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.257742677.000000000082B000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.463782631.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.269005674.000000000082B000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000002.511479825.0000000000827000.00000004.00000020.sdmp, K9jgh4owKk.exe, 00000000.00000003.338303234.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.261873587.000000000082B000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.403679166.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.430727069.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.476796082.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.349116394.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.313585698.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.275885215.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.483986043.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.437511417.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.506063959.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.253117743.000000000082D000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.268971889.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.297499247.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.261835900.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.342357782.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.304411755.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.335027531.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.328384567.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.257700106.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.255628194.000000000082C000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.444196322.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.491107772.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://103.70.29.126/
Source: K9jgh4owKk.exe, 00000000.00000003.491107772.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://103.70.29.126:593/
Source: K9jgh4owKk.exe, 00000000.00000003.338303234.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.335027531.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://103.70.29.126:593//y
Source: K9jgh4owKk.exe, 00000000.00000003.338303234.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://103.70.29.126:593/Q
Source: K9jgh4owKk.exe, 00000000.00000003.338303234.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.349116394.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.342357782.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://103.70.29.126:593/R
Source: K9jgh4owKk.exe, 00000000.00000002.511762640.0000000000895000.00000004.00000001.sdmp	String found in binary or memory: https://103.70.29.126:593/aphy
Source: K9jgh4owKk.exe, 00000000.00000003.282622361.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.498833996.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.396193564.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.255513353.000000000082B000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.356858095.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.257742677.000000000082B000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.463782631.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.269005674.000000000082B000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000002.511479825.0000000000827000.00000004.00000020.sdmp, K9jgh4owKk.exe, 00000000.00000003.338303234.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.261873587.000000000082B000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.403679166.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.430727069.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.476796082.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.349116394.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.313585698.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.275885215.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.483986043.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.437511417.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.506063959.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.253117743.000000000082D000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.268971889.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.297499247.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.261835900.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.342357782.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.304411755.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.335027531.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.328384567.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.257700106.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.255628194.000000000082C000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.444196322.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.491107772.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://103.70.29.126:593/ll
Source: K9jgh4owKk.exe, 00000000.00000003.483986043.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://103.70.29.126:593/lly
Source: K9jgh4owKk.exe, 00000000.00000003.328384567.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.403718756.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.444196322.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.491107772.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://103.9.36.172/
Source: K9jgh4owKk.exe, 00000000.00000003.282622361.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.269005674.000000000082B000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.275885215.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.268971889.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.297499247.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://103.9.36.172//d$
Source: K9jgh4owKk.exe, 00000000.00000003.498833996.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.463782631.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000002.511479825.0000000000827000.00000004.00000020.sdmp, K9jgh4owKk.exe, 00000000.00000003.403679166.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.476796082.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.483986043.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.506063959.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.491107772.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://103.9.36.172/101.175.170:10172/L
Source: K9jgh4owKk.exe, 00000000.00000003.282622361.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000002.511479825.0000000000827000.00000004.00000020.sdmp, K9jgh4owKk.exe, 00000000.00000003.313585698.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.275885215.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.506063959.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.297499247.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.304411755.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.335027531.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.328384567.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://103.9.36.172/101.175.170:10172/Sign
Source: K9jgh4owKk.exe, 00000000.00000003.498833996.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.396193564.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.463782631.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000002.511479825.0000000000827000.00000004.00000020.sdmp, K9jgh4owKk.exe, 00000000.00000003.403679166.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.430727069.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.476796082.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.483986043.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.437511417.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.506063959.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.444196322.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.491107772.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://103.9.36.172/101.175.170:10172/W
Source: K9jgh4owKk.exe, 00000000.00000003.444196322.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.491107772.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://103.9.36.172/101.175.170:10172/ication
Source: K9jgh4owKk.exe, 00000000.00000003.498833996.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000002.511479825.0000000000827000.00000004.00000020.sdmp, K9jgh4owKk.exe, 00000000.00000003.430727069.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.476796082.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.483986043.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.437511417.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.506063959.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.444196322.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.491107772.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://103.9.36.172/5Ze(
Source: K9jgh4owKk.exe, 00000000.00000003.506114094.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.463838545.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.476853326.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.484043126.00000000030CD000.00000004.00000001.sdmp	String found in binary or memory: https://103.9.36.172/D4
Source: K9jgh4owKk.exe, 00000000.00000003.349485775.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.491355139.00000000030CD000.00000004.00000001.sdmp	String found in binary or memory: https://103.9.36.172/H4
Source: K9jgh4owKk.exe, 00000000.00000003.498833996.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.349116394.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://103.9.36.172/RY
Source: K9jgh4owKk.exe, 00000000.00000003.313585698.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.297499247.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.304411755.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.328384567.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://103.9.36.172/iversal
Source: K9jgh4owKk.exe, 00000000.00000003.430727069.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://103.9.36.172/oY
Source: K9jgh4owKk.exe, 00000000.00000003.261873587.000000000082B000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.349116394.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.483986043.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.261835900.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.304411755.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://103.9.36.172/rsaenh.dll
Source: K9jgh4owKk.exe, 00000000.00000003.463782631.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.313585698.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://103.9.36.172/rsaenh.dllx
Source: K9jgh4owKk.exe, 00000000.00000002.511245314.00000000007BA000.00000004.00000020.sdmp	String found in binary or memory: https://103.9.36.172/ryptprimitives.dll
Source: K9jgh4owKk.exe, 00000000.00000003.498833996.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.463782631.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000002.511479825.0000000000827000.00000004.00000020.sdmp, K9jgh4owKk.exe, 00000000.00000003.430727069.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.476796082.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.483986043.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.437511417.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.506063959.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.444196322.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.491107772.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://103.9.36.172/t
Source: K9jgh4owKk.exe, 00000000.00000003.282622361.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.269005674.000000000082B000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.275885215.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.268971889.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://103.9.36.172/v$
Source: K9jgh4owKk.exe, 00000000.00000003.430727069.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.506063959.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://103.9.36.172/vider
Source: K9jgh4owKk.exe, 00000000.00000003.356858095.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.349116394.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://103.9.36.172/x
Source: K9jgh4owKk.exe, 00000000.00000003.282622361.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.269005674.000000000082B000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.261873587.000000000082B000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.268971889.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.261835900.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.328384567.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://103.9.36.172/x$
Source: K9jgh4owKk.exe, 00000000.00000003.491107772.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://46.101.175.170/
Source: K9jgh4owKk.exe, 00000000.00000003.282622361.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.269005674.000000000082B000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.261873587.000000000082B000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.275885215.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.268971889.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.261835900.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://46.101.175.170/R$
Source: K9jgh4owKk.exe, 00000000.00000003.261873587.000000000082B000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.261835900.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://46.101.175.170/d$
Source: K9jgh4owKk.exe, 00000000.00000003.444196322.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.491107772.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://46.101.175.170:10172/
Source: K9jgh4owKk.exe, 00000000.00000003.396193564.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://46.101.175.170:10172/7
Source: K9jgh4owKk.exe, 00000000.00000003.491355139.00000000030CD000.00000004.00000001.sdmp	String found in binary or memory: https://46.101.175.170:10172/E2
Source: K9jgh4owKk.exe, 00000000.00000003.498833996.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000002.511479825.0000000000827000.00000004.00000020.sdmp, K9jgh4owKk.exe, 00000000.00000003.506063959.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://46.101.175.170:10172/H
Source: K9jgh4owKk.exe, 00000000.00000003.338347874.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.349485775.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.336677145.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.444272579.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.498872671.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.506114094.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000002.513180409.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.356894421.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.430945199.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.463838545.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.342457886.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.476853326.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.491355139.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.437583136.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.396300883.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.484043126.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.403718756.00000000030CD000.00000004.00000001.sdmp	String found in binary or memory: https://46.101.175.170:10172/J2
Source: K9jgh4owKk.exe, 00000000.00000003.396193564.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.430727069.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.437511417.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.444196322.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://46.101.175.170:10172/L
Source: K9jgh4owKk.exe, 00000000.00000003.476796082.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://46.101.175.170:10172/Q
Source: K9jgh4owKk.exe, 00000000.00000003.430945199.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.484043126.00000000030CD000.00000004.00000001.sdmp	String found in binary or memory: https://46.101.175.170:10172/S2
Source: K9jgh4owKk.exe, 00000000.00000003.282622361.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.498833996.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.463782631.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.476796082.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.313585698.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.275885215.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.483986043.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.268971889.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.297499247.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.261835900.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.304411755.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.335027531.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.328384567.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.491107772.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://46.101.175.170:10172/Sign
Source: K9jgh4owKk.exe, 00000000.00000003.275885215.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://46.101.175.170:10172/T
Source: K9jgh4owKk.exe, 00000000.00000003.356858095.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://46.101.175.170:10172/W
Source: K9jgh4owKk.exe, 00000000.00000003.484043126.00000000030CD000.00000004.00000001.sdmp	String found in binary or memory: https://46.101.175.170:10172/X2
Source: K9jgh4owKk.exe, 00000000.00000003.444272579.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.430945199.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.463838545.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.476853326.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.437583136.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.396300883.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.403718756.00000000030CD000.00000004.00000001.sdmp	String found in binary or memory: https://46.101.175.170:10172/_3
Source: K9jgh4owKk.exe, 00000000.00000003.338347874.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.349485775.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.336677145.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.444272579.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.498872671.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.430945199.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.463838545.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.342457886.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.476853326.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.491355139.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.437583136.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.396300883.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.484043126.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.403718756.00000000030CD000.00000004.00000001.sdmp	String found in binary or memory: https://46.101.175.170:10172/a
Source: K9jgh4owKk.exe, 00000000.00000003.338347874.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.336677145.00000000030CD000.00000004.00000001.sdmp	String found in binary or memory: https://46.101.175.170:10172/a2
Source: K9jgh4owKk.exe, 00000000.00000003.491107772.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://46.101.175.170:10172/ication
Source: K9jgh4owKk.exe, 00000000.00000003.338347874.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.349485775.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.336677145.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.506114094.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000002.513180409.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.356894421.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.342457886.00000000030CD000.00000004.00000001.sdmp	String found in binary or memory: https://46.101.175.170:10172/l
Source: K9jgh4owKk.exe, 00000000.00000003.338347874.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.349485775.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.336677145.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.356894421.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.342457886.00000000030CD000.00000004.00000001.sdmp	String found in binary or memory: https://46.101.175.170:10172/m3
Source: K9jgh4owKk.exe, 00000000.00000003.396300883.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.403718756.00000000030CD000.00000004.00000001.sdmp	String found in binary or memory: https://46.101.175.170:10172/r3
Source: K9jgh4owKk.exe, 00000000.00000003.275885215.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://46.101.175.170:10172/t
Source: K9jgh4owKk.exe, 00000000.00000002.511762640.0000000000895000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.336787597.0000000000895000.00000004.00000001.sdmp	String found in binary or memory: https://46.101.175.170:10172/w
Source: K9jgh4owKk.exe, 00000000.00000003.484043126.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.335027531.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.328384567.0000000000827000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.403718756.00000000030CD000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.444196322.0000000000827000.00000004.00000001.sdmp	String found in binary or memory: https://46.101.175.170:10172/y
Source: K9jgh4owKk.exe, 00000000.00000003.342457886.00000000030CD000.00000004.00000001.sdmp	String found in binary or memory: https://463.9.36.172/

Posts data to webserver

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Host: 103.9.36.172Content-Length: 4857Connection: CloseCache-Control: no-cache

Contains functionality to download additional files from the internet

Source: C:\Users\user\Desktop\K9jgh4owKk.exe

Code function: 0_2_004339F9 InternetReadFile,

0_2_004339F9

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 103.9.36.172:443 -> 192.168.2.7:49757 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: K9jgh4owKk.exe, 00000000.00000002.511245314.00000000007BA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 0.2.K9jgh4owKk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K9jgh4owKk.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K9jgh4owKk.exe.22b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.K9jgh4owKk.exe.22b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.512470585.00000000022B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.510744656.0000000000400000.00000040.00020000.sdmp, type: MEMORY

Detected Dridex e-Banking trojan

Source: C:\Users\user\Desktop\K9jgh4owKk.exe

Code function: 0_2_00405150 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,LoadLibraryW,

0_2_00405150

System Summary:

Uses 32bit PE files

Source: K9jgh4owKk.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Detected potential crypto function

Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_00405150		0_2_00405150
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_004167C8		0_2_004167C8
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_00421020		0_2_00421020
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_0041D030		0_2_0041D030
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_004188C0		0_2_004188C0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_00418CC0		0_2_00418CC0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_0040ACD0		0_2_0040ACD0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_0041A0D0		0_2_0041A0D0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_004198DA		0_2_004198DA
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_0041E0A0		0_2_0041E0A0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_0042DCA0		0_2_0042DCA0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_004250A0		0_2_004250A0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_00424CA0		0_2_00424CA0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_00425CB0		0_2_00425CB0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_00417564		0_2_00417564
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_00401570		0_2_00401570
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_0041FDD0		0_2_0041FDD0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_004289F0		0_2_004289F0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_004271F0		0_2_004271F0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_0041D980		0_2_0041D980
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_0042D180		0_2_0042D180
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_0041C590		0_2_0041C590
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_0040F9A0		0_2_0040F9A0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_00421240		0_2_00421240
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_0041A660		0_2_0041A660
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_00427660		0_2_00427660
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_00422E60		0_2_00422E60
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_00409E70		0_2_00409E70
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_00419E70		0_2_00419E70
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_0040CA10		0_2_0040CA10
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_0042FA10		0_2_0042FA10
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_00420220		0_2_00420220
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_0042D620		0_2_0042D620
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_00423EC0		0_2_00423EC0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_0042FA10		0_2_0042FA10
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_00406AD0		0_2_00406AD0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_004196D0		0_2_004196D0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_0041F6E0		0_2_0041F6E0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_0041B6F0		0_2_0041B6F0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_00418EF0		0_2_00418EF0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_004262F0		0_2_004262F0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_0041AE80		0_2_0041AE80
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_00418AB0		0_2_00418AB0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_00421EB0		0_2_00421EB0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_004226B0		0_2_004226B0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_0041BF50		0_2_0041BF50
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_00415B60		0_2_00415B60
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_00423B00		0_2_00423B00
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_00429B10		0_2_00429B10
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_00421730		0_2_00421730
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_004183C0		0_2_004183C0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_00417FC0		0_2_00417FC0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_00427FC0		0_2_00427FC0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_0041E3F0		0_2_0041E3F0

Contains functionality to call native functions

Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_004122A0 NtDelayExecution,		0_2_004122A0
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_0042BE30 NtClose,		0_2_0042BE30

Sample file is different than original file name gathered from version info

Source: K9jgh4owKk.exe, 00000000.00000002.511153036.00000000004A6000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePropSchemasetip.exeX vs K9jgh4owKk.exe
Source: K9jgh4owKk.exe	Binary or memory string: OriginalFilenamePropSchemasetip.exeX vs K9jgh4owKk.exe

Sample is known by Antivirus

Source: K9jgh4owKk.exe	Virustotal: Detection: 60%
Source: K9jgh4owKk.exe	Metadefender: Detection: 25%
Source: K9jgh4owKk.exe	ReversingLabs: Detection: 60%

PE file has an executable .text section and no other executable section

Source: K9jgh4owKk.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\K9jgh4owKk.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\K9jgh4owKk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.bank.troj.evad.winEXE@1/2@0/3

Reads the hosts file

Source: C:\Users\user\Desktop\K9jgh4owKk.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\K9jgh4owKk.exe

Unpacked PE file: 0.2.K9jgh4owKk.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\K9jgh4owKk.exe

Unpacked PE file: 0.2.K9jgh4owKk.exe.400000.0.unpack .text:ER;.rdata:R;.rdata2:W;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_02295B50 push edx; ret		0_2_02295CDE
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_022762ED pushad ; iretd		0_2_02276305
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_02257192 push dword ptr [ebp+ecx*8-49h]; retf		0_2_02257196
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_0226F6ED push esi; ret		0_2_0226F6F7
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_0227FB94 push esi; ret		0_2_0227FBAB
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_022589BD push 00000369h; ret		0_2_02258A48
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_022589ED push 00000369h; ret		0_2_02258A48
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_02250EAF push esi; ret		0_2_02250EB4
Source: C:\Users\user\Desktop\K9jgh4owKk.exe	Code function: 0_2_02251D31 push FFFFFFD5h; ret		0_2_02251D38

PE file contains sections with non-standard names

Source: K9jgh4owKk.exe

Static PE information: section name: .rdata2

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\K9jgh4owKk.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -510000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -840000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -604000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -765000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -574000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -260000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -276000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -282000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -276000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -270000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -172000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -316000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -295000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -450000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -155000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -151000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -471000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -314000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -537000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -140000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -274000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -354000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -297000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -156000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -686000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -328000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -335000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -162000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -152000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -294000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -274000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -372000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -318000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -252000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -266000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -161000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -349000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -342000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -286000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -319000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -352000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -396000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -254000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -143000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -344000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -648000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -307000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -444000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -244000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -348000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -129000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -322000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -252000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -121000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -328000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -251000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -308000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -257000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -277000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -146000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -296000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -359000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -329000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -163000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -309000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -169000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -342000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -242000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\K9jgh4owKk.exe TID: 6776	Thread sleep time: -149000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\K9jgh4owKk.exe

Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\K9jgh4owKk.exe

Code function: 0_2_022688FD rdtsc

0_2_022688FD

Contains functionality to query network adapater information

Source: C:\Users\user\Desktop\K9jgh4owKk.exe

Code function: OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,LoadLibraryW,

0_2_00405150

Contains functionality to query system information

Source: C:\Users\user\Desktop\K9jgh4owKk.exe

Code function: 0_2_00413930 GetTokenInformation,GetTokenInformation,GetSystemInfo,GetTokenInformation,

0_2_00413930

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\K9jgh4owKk.exe

Code function: 0_2_0042CEF8 FindFirstFileExW,

0_2_0042CEF8

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: K9jgh4owKk.exe, 00000000.00000003.313760711.0000000000818000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000002.511245314.00000000007BA000.00000004.00000020.sdmp, K9jgh4owKk.exe, 00000000.00000003.304456350.0000000000818000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.335083462.0000000000818000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.297554445.0000000000818000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000002.511441277.0000000000818000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW

Source: K9jgh4owKk.exe, 00000000.00000003.335063439.00000000007FF000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000002.511245314.00000000007BA000.00000004.00000020.sdmp, K9jgh4owKk.exe, 00000000.00000003.313733042.00000000007FF000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.304444988.00000000007FF000.00000004.00000001.sdmp, K9jgh4owKk.exe, 00000000.00000003.297540471.00000000007FF000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW!

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\K9jgh4owKk.exe

Code function: 0_2_022688FD rdtsc

0_2_022688FD

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\K9jgh4owKk.exe

Code function: 0_2_00416C50 KiUserExceptionDispatcher,LdrLoadDll,

0_2_00416C50

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\K9jgh4owKk.exe

Memory protected: page execute read | page execute and read and write | page guard

Jump to behavior

Contains functionality to register its own exception handler

Source: C:\Users\user\Desktop\K9jgh4owKk.exe

Code function: 0_2_00417A60 RtlAddVectoredExceptionHandler,

0_2_00417A60

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Source: K9jgh4owKk.exe, 00000000.00000002.511928829.0000000000E40000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: K9jgh4owKk.exe, 00000000.00000002.511928829.0000000000E40000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: K9jgh4owKk.exe, 00000000.00000002.511928829.0000000000E40000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: K9jgh4owKk.exe, 00000000.00000002.511928829.0000000000E40000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the installation date of Windows

Source: C:\Users\user\Desktop\K9jgh4owKk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\K9jgh4owKk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to query the account / user name

Source: C:\Users\user\Desktop\K9jgh4owKk.exe

Code function: 0_2_00412980 GetUserNameW,

0_2_00412980