Windows Analysis Report ViKing-R2.exe

Multi AV Scanner detection for submitted file

Source: ViKing-R2.exe

Virustotal: Detection: 45%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: ViKing-R2.exe

Joe Sandbox ML: detected

Snort IDS alert for network traffic

Source: ViKing-R2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: wkernel32.pdb source: ViKing-R2.exe, 00000000.00000003.2312707983.0000000001508000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: ViKing-R2.exe, 00000000.00000003.2217130178.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Terod\Documents\d2\Win7Debug\TLibShield64.pdb source: ViKing-R2.exe
Source:	Binary string: wntdll.pdb source: ViKing-R2.exe, 00000000.00000003.2217130178.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Terod\Documents\d2\Win7Debug\TLibShield32.pdb source: ViKing-R2.exe
Source:	Binary string: E:\OSP\Windows-driver-samples-master\general\obcallback\control\Release\TLibShieldCtrl.pdbf source: ViKing-R2.exe
Source:	Binary string: wuser32.pdb source: ViKing-R2.exe, 00000000.00000003.2359095459.0000000003120000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\OSP\Windows-driver-samples-master\general\obcallback\control\Release\TLibShieldCtrl.pdb source: ViKing-R2.exe
Source:	Binary string: wkernelbase.pdbUGP source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: ViKing-R2.exe, 00000000.00000003.2312707983.0000000001508000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdbUGP source: ViKing-R2.exe, 00000000.00000003.2359095459.0000000003120000.00000004.00000800.00020000.00000000.sdmp

Networking

Source: Traffic

Snort IDS: 2830033 ETPRO TROJAN Win32/Agent.xxxyeb Connectivity Check 192.168.2.5:49712 -> 103.235.47.188:80

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 103.235.47.188 103.235.47.188

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /ipJson.jsp HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: whois.pconline.com.cnCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: testHost: www.baidu.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ipJson.jsp HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: whois.pconline.com.cnCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: www.baidu.com
Source: global traffic	DNS traffic detected: DNS query: whois.pconline.com.cn

Source: ViKing-R2.exe	String found in binary or memory: http://.https
Source: ViKing-R2.exe	String found in binary or memory: http://api.ip138.com/ip/?token=
Source: ViKing-R2.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: ViKing-R2.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: ViKing-R2.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: ViKing-R2.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: ViKing-R2.exe	String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: ViKing-R2.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: ViKing-R2.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: ViKing-R2.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: ViKing-R2.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: ViKing-R2.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: ViKing-R2.exe	String found in binary or memory: http://ocsp.sectigo.com00
Source: ViKing-R2.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: ViKing-R2.exe	String found in binary or memory: http://th.symcb.com/th.crl0
Source: ViKing-R2.exe	String found in binary or memory: http://th.symcb.com/th.crt0
Source: ViKing-R2.exe	String found in binary or memory: http://th.symcd.com0&
Source: ViKing-R2.exe, 00000000.00000003.2537778812.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://whois.pconline.com.cn/
Source: ViKing-R2.exe, 00000000.00000003.2537778812.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://whois.pconline.com.cn/Y
Source: ViKing-R2.exe	String found in binary or memory: http://whois.pconline.com.cn/ipJson.jsp
Source: ViKing-R2.exe	String found in binary or memory: http://www.adeds.com
Source: ViKing-R2.exe	String found in binary or memory: https://2023.ipchaxun.com/
Source: ViKing-R2.exe	String found in binary or memory: https://api.ip138.com/ip/?token=
Source: ViKing-R2.exe	String found in binary or memory: https://api.ip138.com/ip/?token=http://api.ip138.com/ip/?token=retokip
Source: ViKing-R2.exe	String found in binary or memory: https://searchplugin.csdn.net/api/v1/ip/get
Source: ViKing-R2.exe	String found in binary or memory: https://searchplugin.csdn.net/api/v1/ip/getaddress:----
Source: ViKing-R2.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: ViKing-R2.exe	String found in binary or memory: https://www.adeds.com
Source: ViKing-R2.exe	String found in binary or memory: https://www.thawte.com/cps0/
Source: ViKing-R2.exe	String found in binary or memory: https://www.thawte.com/repository0

Creates a DirectInput object (often for capturing keystrokes)

Source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_8e4265c0-f

Installs a raw input device (often for capturing keystrokes)

Source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_c576141b-f

Yara detected Keylogger Generic

Source: Yara match	File source: ViKing-R2.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ViKing-R2.exe PID: 1812, type: MEMORYSTR

System Summary

PE file has a writeable .text section

Source: ViKing-R2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\ViKing-R2.exe

Process Stats: CPU usage > 49%

PE file contains executable resources (Code or Archives)

Source: libCzf.dll.0.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Sample file is different than original file name gathered from version info

Source: ViKing-R2.exe, 00000000.00000003.2217130178.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000000.2105578806.0000000000A5B000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUpdaterHelper_.exe< vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000000.2105578806.0000000000A5B000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebszip.dll" vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000000.2105578806.0000000000A5B000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLZMA.dll, vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000000.2105578806.0000000000A5B000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename$ vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2449806806.00000000039FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2449806806.00000000039FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWXOnlineHooker.exe vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2449806806.0000000003C7D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIATHook.dll vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000000.2105578806.0000000000960000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename$ vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2312707983.000000000159A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000001.2106476473.0000000000940000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIATHook.dll vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000001.2106476473.0000000000A5B000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUpdaterHelper_.exe< vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000001.2106476473.0000000000A5B000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebszip.dll" vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000001.2106476473.0000000000A5B000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLZMA.dll, vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000001.2106476473.0000000000A5B000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename$ vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000000.2105578806.00000000006C2000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename$ vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000000.2105578806.00000000006C2000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWXOnlineHooker.exe vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKernelbase.dllj% vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2449806806.0000000003D98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUpdaterHelper_.exe< vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2449806806.0000000003D98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebszip.dll" vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2449806806.0000000003D98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLZMA.dll, vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2449806806.0000000003D98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2449806806.0000000003C9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2312707983.0000000001508000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2359095459.0000000003120000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuser32j% vs ViKing-R2.exe
Source: ViKing-R2.exe	Binary or memory string: OriginalFilename$ vs ViKing-R2.exe
Source: ViKing-R2.exe	Binary or memory string: OriginalFilenameWXOnlineHooker.exe vs ViKing-R2.exe
Source: ViKing-R2.exe	Binary or memory string: OriginalFilenameIATHook.dll vs ViKing-R2.exe
Source: ViKing-R2.exe	Binary or memory string: OriginalFilenameUpdaterHelper_.exe< vs ViKing-R2.exe
Source: ViKing-R2.exe	Binary or memory string: OriginalFilenamebszip.dll" vs ViKing-R2.exe
Source: ViKing-R2.exe	Binary or memory string: OriginalFilenameLZMA.dll, vs ViKing-R2.exe

Source: ViKing-R2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: ViKing-R2.exe	Binary string: H:\Device\HarddiskVolume6G:\Device\HarddiskVolume5F:\Device\HarddiskVolume4E:\Device\HarddiskVolume3D:\Device\HarddiskVolume2C:\Device\HarddiskVolume1Q@@@
Source: ViKing-R2.exe	Binary string: \Device\TLibShield\DosDevices\TLibShieldTLibShield: Installing
Source: ViKing-R2.exe	Binary string: \Device\HarddiskVolume6
Source: ViKing-R2.exe	Binary string: \Device\HarddiskVolume5
Source: ViKing-R2.exe	Binary string: \Device\HarddiskVolume4
Source: ViKing-R2.exe	Binary string: \Device\HarddiskVolume3
Source: ViKing-R2.exe	Binary string: \Device\HarddiskVolume2
Source: ViKing-R2.exe	Binary string: \Device\HarddiskVolume1
Source: ViKing-R2.exe	Binary string: \Device\TLibShield

Source: classification engine

Classification label: mal96.evad.winEXE@1/1@2/2

Source: C:\Users\user\Desktop\ViKing-R2.exe

File created: C:\Users\user\Desktop\libCzf.dll

Source: C:\Users\user\Desktop\ViKing-R2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: ViKing-R2.exe

Virustotal: Detection: 45%

Source: ViKing-R2.exe	String found in binary or memory: TLibShieldCtrl.exe -install -name NameofExe -reject NameofExe -uninstall -deprotect [-?]
Source: ViKing-R2.exe	String found in binary or memory: -install install driver
Source: ViKing-R2.exe	String found in binary or memory: Unknown exceptionbad array new lengthbad caststring too longinvalid stoi argumentstoi argument out of range(unknown)(unknown source location):%ld in function ': iostreamsystem:%dUnknown error (%d)std:unknownUnknown interop error %dbad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setstd: [ at ]No message text available for error %dasio.miscAlready openEnd of fileElement not foundThe descriptor does not fit into the select call's fd_setasio.misc errortsswinsockUsage: TLibShieldCtrl.exe -install -name NameofExe -reject NameofExe -uninstall -deprotect [-?] -install install driver -uninstall uninstall driver -name NameofExe protect/filter access to NameofExe -reject NameofExe prevents execution of NameofExe -deprotect unprotect/unfilter-iCALL POSE:\OSP\Windows-driver-samples-master\general\obcallback\control\main.cpp %d
Source: ViKing-R2.exe	String found in binary or memory: PCAUTODROP.BIN -addr=%s -port=%d -guid=%s -type=%d
Source: ViKing-R2.exe	String found in binary or memory: PCAUTODROP.BIN -addr=%s -port=%d -guid=%s -type=%dPCAUTODROP.BIN
Source: ViKing-R2.exe	String found in binary or memory: -addr
Source: ViKing-R2.exe	String found in binary or memory: <http://www.adeds.com - QQ:778716166> =-addr-port-guid-type127.0.0.1{1268EEDD-41FE-4e88-B5CE-33D2E1692024}

Source: C:\Users\user\Desktop\ViKing-R2.exe

File read: C:\Users\user\Desktop\ViKing-R2.exe

Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: ext-ms-win-gdi-desktop-l1-1-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: olepro32.dll	Jump to behavior

Source: C:\Users\user\Desktop\ViKing-R2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Entry point lies outside standard sections

Source: ViKing-R2.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: ViKing-R2.exe

Static file information: File size 12681216 > 1048576

Source: ViKing-R2.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0xb0b000
Source: ViKing-R2.exe	Static PE information: Raw size of .sedata is bigger than: 0x100000 < 0x106000

Source:	Binary string: wkernel32.pdb source: ViKing-R2.exe, 00000000.00000003.2312707983.0000000001508000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: ViKing-R2.exe, 00000000.00000003.2217130178.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Terod\Documents\d2\Win7Debug\TLibShield64.pdb source: ViKing-R2.exe
Source:	Binary string: wntdll.pdb source: ViKing-R2.exe, 00000000.00000003.2217130178.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Terod\Documents\d2\Win7Debug\TLibShield32.pdb source: ViKing-R2.exe
Source:	Binary string: E:\OSP\Windows-driver-samples-master\general\obcallback\control\Release\TLibShieldCtrl.pdbf source: ViKing-R2.exe
Source:	Binary string: wuser32.pdb source: ViKing-R2.exe, 00000000.00000003.2359095459.0000000003120000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\OSP\Windows-driver-samples-master\general\obcallback\control\Release\TLibShieldCtrl.pdb source: ViKing-R2.exe
Source:	Binary string: wkernelbase.pdbUGP source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: ViKing-R2.exe, 00000000.00000003.2312707983.0000000001508000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdbUGP source: ViKing-R2.exe, 00000000.00000003.2359095459.0000000003120000.00000004.00000800.00020000.00000000.sdmp

Source: initial sample

Static PE information: section where entry point is pointing to: .sedata

PE file contains an invalid checksum

Source: libCzf.dll.0.dr

Static PE information: real checksum: 0x12096 should be: 0x1ec26

PE file contains sections with non-standard names

Source: ViKing-R2.exe	Static PE information: section name: .sedata
Source: ViKing-R2.exe	Static PE information: section name: .sedata

Source: ViKing-R2.exe

Static PE information: section name: .sedata entropy: 7.459508118890517

Drops PE files

Source: C:\Users\user\Desktop\ViKing-R2.exe

File created: C:\Users\user\Desktop\libCzf.dll

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Boot Survival

Source: C:\Users\user\Desktop\ViKing-R2.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Window searched: window name: Filemonclass	Jump to behavior

Source: C:\Users\user\Desktop\ViKing-R2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\ViKing-R2.exe

API/Special instruction interceptor: Address: F37685

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F2A9B4 second address: F2AA9C instructions: 0x00000000 rdtsc 0x00000002 mov edx, ebx 0x00000004 jmp 00007F1C39389402h 0x00000006 lea eax, dword ptr [00000000h+eax4] 0x0000000d setnb cl 0x00000010 lea ecx, dword ptr [00000000h+ebx4] 0x00000017 jmp 00007F1C393893DAh 0x00000019 cmc 0x0000001a jmp 00007F1C39389476h 0x0000001c mov ah, byte ptr [esp] 0x0000001f lea esp, dword ptr [esp+20h] 0x00000023 dec esi 0x00000024 not ecx 0x00000026 lea edx, dword ptr [edi+ebp] 0x00000029 jmp 00007F1C3938942Dh 0x0000002b setle dl 0x0000002e bt eax, eax 0x00000031 jc 00007F1C39389485h 0x00000033 push esp 0x00000034 pop word ptr [esp] 0x00000038 mov dx, word ptr [esp+01h] 0x0000003d xchg word ptr [esp], ax 0x00000041 lea esp, dword ptr [esp+02h] 0x00000045 call 00007F1C393895B3h 0x0000004a shr eax, 1Fh 0x0000004d add ecx, 9BD8A65Eh 0x00000053 xchg cx, ax 0x00000056 mov dx, B974h 0x0000005a mov ah, byte ptr [esp] 0x0000005d jmp 00007F1C3938940Fh 0x0000005f xchg dword ptr [esp], ebx 0x00000062 push ebp 0x00000063 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F35619 second address: F36692 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+1Ch], edi 0x00000006 lea ecx, dword ptr [ecx+edi] 0x00000009 jmp 00007F1C395684BDh 0x0000000b mov cx, dx 0x0000000e lea ecx, dword ptr [edx+ebx] 0x00000011 popad 0x00000012 mov dword ptr [eax], edx 0x00000014 bsf cx, sp 0x00000018 js 00007F1C395683EBh 0x0000001a jns 00007F1C39568477h 0x0000001c mov ax, E463h 0x00000020 mov cl, byte ptr [esp] 0x00000023 neg eax 0x00000025 call 00007F1C395693B6h 0x0000002a rcl edx, 00000000h 0x0000002d mov eax, dword ptr [esp] 0x00000030 jmp 00007F1C3956845Ah 0x00000032 lea ecx, dword ptr [esp+00006F25h] 0x00000039 bt ax, dx 0x0000003d xchg dword ptr [esp], esi 0x00000040 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F3781C second address: F378CC instructions: 0x00000000 rdtsc 0x00000002 mov cl, dh 0x00000004 mov dl, byte ptr [esp] 0x00000007 jmp 00007F1C393894A3h 0x00000009 mov esi, dword ptr [edi] 0x0000000b neg ecx 0x0000000d je 00007F1C39389436h 0x0000000f lea edx, dword ptr [00000000h+eax*4] 0x00000016 mov dh, 8Eh 0x00000018 jmp 00007F1C3938946Ch 0x0000001a add edi, 04h 0x0000001d mov cx, word ptr [esp] 0x00000021 mov edx, FE7663B8h 0x00000026 jmp 00007F1C3938942Ah 0x00000028 xchg ah, dh 0x0000002a mov ah, bl 0x0000002c jmp 00007F1C393894E5h 0x00000031 mov cl, D4h 0x00000033 lea eax, dword ptr [ecx-000060CCh] 0x00000039 call 00007F1C3938940Ah 0x0000003e mov ecx, 5B6801A9h 0x00000043 mov dword ptr [esp], ebx 0x00000046 clc 0x00000047 jmp 00007F1C3938946Ch 0x00000049 jns 00007F1C39389415h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F378CC second address: F378CE instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F427C8 second address: F428E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C39389463h 0x00000004 dec esi 0x00000005 btc eax, edi 0x00000008 jmp 00007F1C39389499h 0x0000000a jo 00007F1C3938940Dh 0x0000000c mov dh, ch 0x0000000e mov ax, word ptr [esp] 0x00000012 jmp 00007F1C39389432h 0x00000014 mov ax, dx 0x00000017 sub esp, 0Bh 0x0000001a mov dl, byte ptr [esp+06h] 0x0000001e jmp 00007F1C39389429h 0x00000020 sub esp, 02h 0x00000023 jmp 00007F1C39389507h 0x00000028 bsf dx, dx 0x0000002c jns 00007F1C393893E5h 0x0000002e pop dx 0x00000030 sub esp, 1Ch 0x00000033 jmp 00007F1C39389435h 0x00000035 lea esp, dword ptr [esp+03h] 0x00000039 jmp 00007F1C3938947Fh 0x0000003b rol cl, 00000000h 0x0000003e xor edx, 46F3B00Ah 0x00000044 jnbe 00007F1C39389431h 0x00000046 setb dl 0x00000049 jmp 00007F1C3938948Dh 0x0000004b mov ax, di 0x0000004e sub esp, 12h 0x00000051 lea edx, dword ptr [00000000h+edx*4] 0x00000058 jmp 00007F1C3938948Ah 0x0000005a mov byte ptr [esp+0Dh], ch 0x0000005e xchg ax, dx 0x00000060 lea esp, dword ptr [esp+02h] 0x00000064 lea esp, dword ptr [esp+34h] 0x00000068 jmp 00007F1C3938942Ch 0x0000006a sub cl, FFFFFF9Ch 0x0000006d bsr eax, ecx 0x00000070 jno 00007F1C39389470h 0x00000072 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F428E8 second address: F42931 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [ebp-00008B49h] 0x00000008 jmp 00007F1C39568793h 0x0000000d neg dl 0x0000000f lea edx, dword ptr [eax+ebx] 0x00000012 neg cl 0x00000014 jmp 00007F1C39568338h 0x00000019 xor dx, 6196h 0x0000001e jng 00007F1C395682FBh 0x00000024 setne al 0x00000027 push esp 0x00000028 push dword ptr [esp+02h] 0x0000002c xchg byte ptr [esp+05h], al 0x00000030 mov dx, FDC8h 0x00000034 jmp 00007F1C3956820Eh 0x00000039 lea esp, dword ptr [esp+08h] 0x0000003d neg cl 0x0000003f rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F2800E second address: F28095 instructions: 0x00000000 rdtsc 0x00000002 lea ecx, dword ptr [ebx+esi] 0x00000005 adc dh, bh 0x00000007 jnbe 00007F1C39389428h 0x00000009 jmp 00007F1C3938949Ah 0x0000000b dec eax 0x0000000c sub esp, 08h 0x0000000f push dword ptr [esp+06h] 0x00000013 jmp 00007F1C39389400h 0x00000015 pop dword ptr [esp+01h] 0x00000019 pop word ptr [esp+02h] 0x0000001e setnle ah 0x00000021 lea esp, dword ptr [esp+02h] 0x00000025 jmp 00007F1C393894C1h 0x00000027 lea esp, dword ptr [esp+04h] 0x0000002b xor ebp, 7F5A9E0Eh 0x00000031 not ch 0x00000033 sub ecx, 8F082D72h 0x00000039 jbe 00007F1C39389428h 0x0000003b lea eax, dword ptr [eax+eax] 0x0000003e neg ax 0x00000041 setnle dl 0x00000044 dec dh 0x00000046 not ch 0x00000048 jmp 00007F1C39389494h 0x0000004a dec ebp 0x0000004b jmp 00007F1C39389423h 0x0000004d inc cx 0x0000004f jnl 00007F1C39389438h 0x00000051 not ah 0x00000053 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F34550 second address: F345B5 instructions: 0x00000000 rdtsc 0x00000002 bswap edx 0x00000004 call 00007F1C39568446h 0x00000009 setl ah 0x0000000c xchg eax, edx 0x0000000d mov al, byte ptr [esp] 0x00000010 mov dh, bh 0x00000012 xchg dword ptr [esp], ecx 0x00000015 jmp 00007F1C395684A8h 0x00000017 not edx 0x00000019 pushfd 0x0000001a lea esp, dword ptr [esp+02h] 0x0000001e mov edx, dword ptr [esp] 0x00000021 mov dh, dl 0x00000023 lea esp, dword ptr [esp+02h] 0x00000027 jmp 00007F1C39568401h 0x00000029 lea ecx, dword ptr [ecx-00000025h] 0x0000002f bsf eax, ebp 0x00000032 lea eax, dword ptr [00000000h+ebp*4] 0x00000039 xchg dword ptr [esp], ecx 0x0000003c mov edx, dword ptr [esp] 0x0000003f rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F345B5 second address: F346A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C39389422h 0x00000004 bsr dx, sp 0x00000008 mov al, dh 0x0000000a push dword ptr [esp] 0x0000000d retn 0004h 0x00000010 bsf dx, si 0x00000014 xchg dword ptr [esp+08h], eax 0x00000018 jmp 00007F1C3938950Fh 0x0000001d mov ax, word ptr [esp+1Fh] 0x00000022 jmp 00007F1C39389430h 0x00000024 cmc 0x00000025 rol ecx, 00000000h 0x00000028 bswap edx 0x0000002a mov eax, 595FFF3Bh 0x0000002f lea edx, dword ptr [00000000h+ecx*4] 0x00000036 jmp 00007F1C39389460h 0x00000038 mov dword ptr [edi], ecx 0x0000003a mov eax, dword ptr [esp] 0x0000003d mov ecx, CEC89CB5h 0x00000042 mov cl, byte ptr [esp] 0x00000045 jmp 00007F1C393894E2h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F368B9 second address: F36BB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C39568420h 0x00000004 mov al, byte ptr [esp] 0x00000007 jmp 00007F1C3956845Fh 0x00000009 add edi, 04h 0x0000000c bsf cx, ax 0x00000010 jp 00007F1C39568ED3h 0x00000016 lea eax, dword ptr [edi+00000548h] 0x0000001c jmp 00007F1C39567C99h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F39806 second address: F2800E instructions: 0x00000000 rdtsc 0x00000002 mov dx, 2C96h 0x00000006 mov ch, bl 0x00000008 jmp 00007F1C3938B25Ah 0x0000000d xchg dword ptr [esp], eax 0x00000010 cmp ecx, 2F7A7201h 0x00000016 mov edx, dword ptr [esp] 0x00000019 xchg dl, ch 0x0000001b dec edx 0x0000001c mov cl, 24h 0x0000001e jmp 00007F1C393877DAh 0x00000023 lea eax, dword ptr [eax+01h] 0x00000026 rol ecx, cl 0x00000028 xchg ecx, edx 0x0000002a mov edx, ebx 0x0000002c xchg dword ptr [esp], eax 0x0000002f sub esp, 1Ch 0x00000032 jmp 00007F1C393893CDh 0x00000037 bswap eax 0x00000039 dec edx 0x0000003a pop dx 0x0000003c add esp, 16h 0x0000003f push dword ptr [esp+04h] 0x00000043 retn 0008h 0x00000046 inc cx 0x00000048 jno 00007F1C39389585h 0x0000004e jmp 00007F1C3938941Eh 0x00000050 xchg ax, cx 0x00000052 jmp 00007F1C39377BD4h 0x00000057 mov ebx, ebp 0x00000059 jmp 00007F1C39389400h 0x0000005b sets cl 0x0000005e mov ch, byte ptr [esp] 0x00000061 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F37599 second address: F37685 instructions: 0x00000000 rdtsc 0x00000002 mov dx, 87B0h 0x00000006 jmp 00007F1C39568475h 0x00000008 mov dx, word ptr [esp] 0x0000000c jmp 00007F1C39568509h 0x00000011 mov dx, 57B4h 0x00000015 mov cx, word ptr [esp] 0x00000019 lea ebp, dword ptr [00000000h+ecx*4] 0x00000020 mov ebp, dword ptr [esp] 0x00000023 mov cx, DB09h 0x00000027 jmp 00007F1C395683C4h 0x00000029 mov dx, ax 0x0000002c dec dh 0x0000002e jbe 00007F1C39568425h 0x00000030 mov ax, 646Ah 0x00000034 jmp 00007F1C3956845Dh 0x00000036 lea esp, dword ptr [esp+04h] 0x0000003a push ebx 0x0000003b push word ptr [esp+02h] 0x00000040 jmp 00007F1C3956841Bh 0x00000042 dec ecx 0x00000043 jmp 00007F1C3956847Ch 0x00000045 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F37685 second address: F3764F instructions: 0x00000000 rdtsc 0x00000002 lea esp, dword ptr [esp+02h] 0x00000006 add esp, 04h 0x00000009 jp 00007F1C3938940Dh 0x0000000b jnp 00007F1C3938940Bh 0x0000000d jmp 00007F1C39389474h 0x0000000f mov ebx, dword ptr [esp] 0x00000012 not si 0x00000015 not esi 0x00000017 lea esp, dword ptr [esp+04h] 0x0000001b mov dh, ah 0x0000001d jmp 00007F1C39389420h 0x0000001f mov ch, CDh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F3764F second address: F2800E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C395684BEh 0x00000004 pop esi 0x00000005 jmp 00007F1C39558DC6h 0x0000000a mov ebx, ebp 0x0000000c jmp 00007F1C395683F0h 0x0000000e sets cl 0x00000011 mov ch, byte ptr [esp] 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F72D2A second address: F72D49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C39389466h 0x00000004 lea edx, dword ptr [00000000h+eax*4] 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F72D49 second address: F72EF7 instructions: 0x00000000 rdtsc 0x00000002 mov dx, word ptr [esp] 0x00000006 mov edx, 8DD8D877h 0x0000000b xchg dword ptr [esp+24h], ebp 0x0000000f jmp 00007F1C39568475h 0x00000011 or edx, C95B0182h 0x00000017 mov dx, 3462h 0x0000001b cmp ax, cx 0x0000001e mov dx, word ptr [esp] 0x00000022 push dword ptr [esp+24h] 0x00000026 retn 0028h 0x00000029 lea edx, dword ptr [00000000h+edi4] 0x00000030 call 00007F1C395684F3h 0x00000035 lea eax, dword ptr [00000000h+eax4] 0x0000003c not ax 0x0000003f mov eax, dword ptr [esp] 0x00000042 xchg dh, dl 0x00000044 xchg dword ptr [esp], ecx 0x00000047 jmp 00007F1C395683FCh 0x00000049 xchg al, ah 0x0000004b not ah 0x0000004d bt dx, ax 0x00000051 bsr dx, cx 0x00000055 lea ecx, dword ptr [ecx+0Ah] 0x00000058 mov eax, 2F6AAD75h 0x0000005d jmp 00007F1C39568405h 0x0000005f not edx 0x00000061 mov al, ch 0x00000063 bsr edx, esp 0x00000066 xchg dword ptr [esp], ecx 0x00000069 sets al 0x0000006c lea edx, dword ptr [esp+edx] 0x0000006f jmp 00007F1C3956846Dh 0x00000071 adc ax, 0000576Bh 0x00000075 push dword ptr [esp] 0x00000078 retn 0004h 0x0000007b mov ah, bh 0x0000007d jmp 00007F1C395685BBh 0x00000082 mov word ptr [edi], cx 0x00000085 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F574E4 second address: F346A1 instructions: 0x00000000 rdtsc 0x00000002 mov edx, dword ptr [esp] 0x00000005 jmp 00007F1C39389430h 0x00000007 neg dx 0x0000000a jno 00007F1C39389488h 0x0000000c mov ecx, edi 0x0000000e mov edi, dword ptr [ecx] 0x00000010 jmp 00007F1C393665E9h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F36852 second address: F36BB6 instructions: 0x00000000 rdtsc 0x00000002 mov al, byte ptr [esp] 0x00000005 jmp 00007F1C395684A6h 0x00000007 add edi, 04h 0x0000000a bsf cx, ax 0x0000000e jp 00007F1C39568ED3h 0x00000014 lea eax, dword ptr [edi+00000548h] 0x0000001a jmp 00007F1C39567C99h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F27B51 second address: F2800E instructions: 0x00000000 rdtsc 0x00000002 lea esi, dword ptr [esp+ebx] 0x00000005 mov ebp, dword ptr [esp] 0x00000008 bswap eax 0x0000000a jmp 00007F1C39389456h 0x0000000c mov ebp, dword ptr [esp+2Ch] 0x00000010 lea esi, dword ptr [00000000h+eax4] 0x00000017 mov dh, B5h 0x00000019 mov eax, ebp 0x0000001b call 00007F1C3938947Bh 0x00000020 jmp 00007F1C39389438h 0x00000022 lea edi, dword ptr [esp+04h] 0x00000026 cmc 0x00000027 jns 00007F1C3938947Eh 0x00000029 xchg ebx, edx 0x0000002b bswap eax 0x0000002d sub esp, 000000BCh 0x00000033 mov esi, esp 0x00000035 mov al, byte ptr [esp] 0x00000038 jmp 00007F1C39389456h 0x0000003a lea ebx, dword ptr [00000000h+esi4] 0x00000041 neg edx 0x00000043 ja 00007F1C393898CFh 0x00000049 mov bh, byte ptr [esp] 0x0000004c jmp 00007F1C393898C9h 0x00000051 mov ebx, ebp 0x00000053 jmp 00007F1C39389400h 0x00000055 sets cl 0x00000058 mov ch, byte ptr [esp] 0x0000005b rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F34512 second address: F346A1 instructions: 0x00000000 rdtsc 0x00000002 bswap edx 0x00000004 bsf dx, si 0x00000008 xchg dword ptr [esp+08h], eax 0x0000000c mov ax, word ptr [esp+1Fh] 0x00000011 jmp 00007F1C395684FDh 0x00000016 cmc 0x00000017 rol ecx, 00000000h 0x0000001a bswap edx 0x0000001c mov eax, 595FFF3Bh 0x00000021 lea edx, dword ptr [00000000h+ecx*4] 0x00000028 jmp 00007F1C39568450h 0x0000002a mov dword ptr [edi], ecx 0x0000002c mov eax, dword ptr [esp] 0x0000002f mov ecx, CEC89CB5h 0x00000034 mov cl, byte ptr [esp] 0x00000037 jmp 00007F1C395684D2h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F657CE second address: F657E7 instructions: 0x00000000 rdtsc 0x00000002 mov dx, sp 0x00000005 lea eax, dword ptr [00000000h+eax4] 0x0000000c jmp 00007F1C3938946Eh 0x0000000e xchg dword ptr [esp], edx 0x00000011 mov ah, byte ptr [esp] 0x00000014 push si 0x00000016 xchg cx, ax 0x00000019 mov cx, 107Fh 0x0000001d xchg word ptr [esp], cx 0x00000021 jmp 00007F1C39389486h 0x00000023 lea esp, dword ptr [esp+02h] 0x00000027 lea edx, dword ptr [edx+54h] 0x0000002a setnp cl 0x0000002d bswap eax 0x0000002f lea eax, dword ptr [00000000h+ebx4] 0x00000036 mov cx, dx 0x00000039 jmp 00007F1C39389424h 0x0000003b bswap ecx 0x0000003d xchg dword ptr [esp], edx 0x00000040 lea eax, dword ptr [00000000h+edx4] 0x00000047 lea eax, dword ptr [edx+ebx] 0x0000004a jmp 00007F1C39389485h 0x0000004c mov edx, 65381AEFh 0x00000051 call 00007F1C39389435h 0x00000056 lea eax, dword ptr [00000000h+edx4] 0x0000005d push dword ptr [esp+04h] 0x00000061 retn 0008h 0x00000064 pop dword ptr [edi] 0x00000066 setb ch 0x00000069 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F72ECC second address: F72ED6 instructions: 0x00000000 rdtsc 0x00000002 mov edx, eax 0x00000004 jmp 00007F1C39568446h 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F83EC9 second address: F346A1 instructions: 0x00000000 rdtsc 0x00000002 sub esp, 08h 0x00000005 jnbe 00007F1C3938942Fh 0x00000007 mov byte ptr [esp+05h], al 0x0000000b jmp 00007F1C393894A0h 0x0000000d sub edi, 08h 0x00000010 stc 0x00000011 jne 00007F1C393893FEh 0x00000013 push eax 0x00000014 jmp 00007F1C39389472h 0x00000016 pop word ptr [esp] 0x0000001a lea esp, dword ptr [esp+02h] 0x0000001e xchg edx, ecx 0x00000020 jmp 00007F1C39389456h 0x00000022 push bx 0x00000024 pushfd 0x00000025 lea esp, dword ptr [esp] 0x00000028 lea esp, dword ptr [esp+02h] 0x0000002c jmp 00007F1C39389488h 0x0000002e mov dword ptr [edi], ecx 0x00000030 dec ecx 0x00000031 jno 00007F1C39389437h 0x00000033 setnle cl 0x00000036 jmp 00007F1C39389487h 0x00000038 bswap ecx 0x0000003a mov cx, word ptr [esp] 0x0000003e mov dword ptr [edi+04h], eax 0x00000041 jmp 00007F1C393895C8h 0x00000046 clc 0x00000047 jnl 00007F1C39389341h 0x0000004d rcl ecx, cl 0x0000004f ror al, cl 0x00000051 jmp 00007F1C39339B2Eh 0x00000056 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F6F66D second address: F6F66F instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F8ECF9 second address: F8EDC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C39389511h 0x00000007 not eax 0x00000009 mov edx, edi 0x0000000b mov cx, word ptr [edx] 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: FAC844 second address: FAC875 instructions: 0x00000000 rdtsc 0x00000002 not ecx 0x00000004 jmp 00007F1C3956846Ah 0x00000006 sub edi, 02h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F322B8 second address: F322BA instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F0C0EA second address: F0C135 instructions: 0x00000000 rdtsc 0x00000002 mov byte ptr [esp+02h], dh 0x00000006 xchg dword ptr [esp+04h], ebp 0x0000000a jmp 00007F1C3956847Eh 0x0000000c mov ecx, dword ptr [esp] 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: FF7E17 second address: FF7DB4 instructions: 0x00000000 rdtsc 0x00000002 xchg dx, ax 0x00000005 mov ah, EEh 0x00000007 lea edx, dword ptr [ebx+ebp] 0x0000000a not ah 0x0000000c jmp 00007F1C393893D6h 0x0000000e mov ch, byte ptr [esp] 0x00000011 mov dx, DB0Bh 0x00000015 mov ecx, dword ptr [esp+04h] 0x00000019 rdtsc

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\ViKing-R2.exe	Window / User API: threadDelayed 723	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Window / User API: threadDelayed 712	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Window / User API: threadDelayed 795	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Window / User API: threadDelayed 752	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Window / User API: threadDelayed 858	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\ViKing-R2.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\libCzf.dll

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\ViKing-R2.exe TID: 1576	Thread sleep time: -1446000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe TID: 4080	Thread sleep time: -1424000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe TID: 5636	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe TID: 6340	Thread sleep time: -252000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe TID: 2820	Thread sleep time: -1590000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe TID: 5456	Thread sleep time: -80000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe TID: 6592	Thread sleep time: -1504000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe TID: 4292	Thread sleep time: -1716000s >= -30000s	Jump to behavior

Source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: ViKing-R2.exe, 00000000.00000003.2537778812.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: ViKing-R2.exe, 00000000.00000003.2537778812.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0\|0

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\ViKing-R2.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\ViKing-R2.exe	Open window title or class name: filemonclass

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\ViKing-R2.exe

File opened: NTICE

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\ViKing-R2.exe

Process queried: DebugPort

Enables debug privileges

Source: C:\Users\user\Desktop\ViKing-R2.exe

Process token adjusted: Debug

Multi AV Scanner detection for dropped file

Source: ViKing-R2.exe, 00000000.00000003.2359095459.0000000003120000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: ViKing-R2.exe, 00000000.00000003.2359095459.0000000003120000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.235.47.188	www.wshifen.com	Hong Kong		55967	BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	true
14.29.101.160	whois.pconline.com.cn.ctadns.cn	China		58466	CT-GUANGZHOU-IDCCHINANETGuangdongprovincenetworkCN	false

Contacted Domains

Name	IP	Active
www.wshifen.com	103.235.47.188	true
whois.pconline.com.cn.ctadns.cn	14.29.101.160	true
whois.pconline.com.cn	unknown	unknown
www.baidu.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://whois.pconline.com.cn/ipJson.jsp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.baidu.com/	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

AV Detection

Source: C:\Users\user\Desktop\libCzf.dll

Virustotal: Detection: 13%

Multi AV Scanner detection for submitted file

Source: ViKing-R2.exe

Virustotal: Detection: 45%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: ViKing-R2.exe

Joe Sandbox ML: detected

Snort IDS alert for network traffic

Source: ViKing-R2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: wkernel32.pdb source: ViKing-R2.exe, 00000000.00000003.2312707983.0000000001508000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: ViKing-R2.exe, 00000000.00000003.2217130178.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Terod\Documents\d2\Win7Debug\TLibShield64.pdb source: ViKing-R2.exe
Source:	Binary string: wntdll.pdb source: ViKing-R2.exe, 00000000.00000003.2217130178.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Terod\Documents\d2\Win7Debug\TLibShield32.pdb source: ViKing-R2.exe
Source:	Binary string: E:\OSP\Windows-driver-samples-master\general\obcallback\control\Release\TLibShieldCtrl.pdbf source: ViKing-R2.exe
Source:	Binary string: wuser32.pdb source: ViKing-R2.exe, 00000000.00000003.2359095459.0000000003120000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\OSP\Windows-driver-samples-master\general\obcallback\control\Release\TLibShieldCtrl.pdb source: ViKing-R2.exe
Source:	Binary string: wkernelbase.pdbUGP source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: ViKing-R2.exe, 00000000.00000003.2312707983.0000000001508000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdbUGP source: ViKing-R2.exe, 00000000.00000003.2359095459.0000000003120000.00000004.00000800.00020000.00000000.sdmp

Networking

Source: Traffic

Snort IDS: 2830033 ETPRO TROJAN Win32/Agent.xxxyeb Connectivity Check 192.168.2.5:49712 -> 103.235.47.188:80

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 103.235.47.188 103.235.47.188

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /ipJson.jsp HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: whois.pconline.com.cnCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: testHost: www.baidu.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ipJson.jsp HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: whois.pconline.com.cnCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: www.baidu.com
Source: global traffic	DNS traffic detected: DNS query: whois.pconline.com.cn

Source: ViKing-R2.exe	String found in binary or memory: http://.https
Source: ViKing-R2.exe	String found in binary or memory: http://api.ip138.com/ip/?token=
Source: ViKing-R2.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: ViKing-R2.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: ViKing-R2.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: ViKing-R2.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: ViKing-R2.exe	String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: ViKing-R2.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: ViKing-R2.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: ViKing-R2.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: ViKing-R2.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: ViKing-R2.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: ViKing-R2.exe	String found in binary or memory: http://ocsp.sectigo.com00
Source: ViKing-R2.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: ViKing-R2.exe	String found in binary or memory: http://th.symcb.com/th.crl0
Source: ViKing-R2.exe	String found in binary or memory: http://th.symcb.com/th.crt0
Source: ViKing-R2.exe	String found in binary or memory: http://th.symcd.com0&
Source: ViKing-R2.exe, 00000000.00000003.2537778812.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://whois.pconline.com.cn/
Source: ViKing-R2.exe, 00000000.00000003.2537778812.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://whois.pconline.com.cn/Y
Source: ViKing-R2.exe	String found in binary or memory: http://whois.pconline.com.cn/ipJson.jsp
Source: ViKing-R2.exe	String found in binary or memory: http://www.adeds.com
Source: ViKing-R2.exe	String found in binary or memory: https://2023.ipchaxun.com/
Source: ViKing-R2.exe	String found in binary or memory: https://api.ip138.com/ip/?token=
Source: ViKing-R2.exe	String found in binary or memory: https://api.ip138.com/ip/?token=http://api.ip138.com/ip/?token=retokip
Source: ViKing-R2.exe	String found in binary or memory: https://searchplugin.csdn.net/api/v1/ip/get
Source: ViKing-R2.exe	String found in binary or memory: https://searchplugin.csdn.net/api/v1/ip/getaddress:----
Source: ViKing-R2.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: ViKing-R2.exe	String found in binary or memory: https://www.adeds.com
Source: ViKing-R2.exe	String found in binary or memory: https://www.thawte.com/cps0/
Source: ViKing-R2.exe	String found in binary or memory: https://www.thawte.com/repository0

Creates a DirectInput object (often for capturing keystrokes)

Source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_8e4265c0-f

Installs a raw input device (often for capturing keystrokes)

Source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_c576141b-f

Yara detected Keylogger Generic

Source: Yara match	File source: ViKing-R2.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ViKing-R2.exe PID: 1812, type: MEMORYSTR

System Summary

PE file has a writeable .text section

Source: ViKing-R2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\ViKing-R2.exe

Process Stats: CPU usage > 49%

PE file contains executable resources (Code or Archives)

Source: libCzf.dll.0.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Sample file is different than original file name gathered from version info

Source: ViKing-R2.exe, 00000000.00000003.2217130178.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000000.2105578806.0000000000A5B000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUpdaterHelper_.exe< vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000000.2105578806.0000000000A5B000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebszip.dll" vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000000.2105578806.0000000000A5B000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLZMA.dll, vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000000.2105578806.0000000000A5B000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename$ vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2449806806.00000000039FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2449806806.00000000039FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWXOnlineHooker.exe vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2449806806.0000000003C7D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIATHook.dll vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000000.2105578806.0000000000960000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename$ vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2312707983.000000000159A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000001.2106476473.0000000000940000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIATHook.dll vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000001.2106476473.0000000000A5B000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUpdaterHelper_.exe< vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000001.2106476473.0000000000A5B000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebszip.dll" vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000001.2106476473.0000000000A5B000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLZMA.dll, vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000001.2106476473.0000000000A5B000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename$ vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000000.2105578806.00000000006C2000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename$ vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000000.2105578806.00000000006C2000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWXOnlineHooker.exe vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKernelbase.dllj% vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2449806806.0000000003D98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUpdaterHelper_.exe< vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2449806806.0000000003D98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebszip.dll" vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2449806806.0000000003D98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLZMA.dll, vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2449806806.0000000003D98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2449806806.0000000003C9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2312707983.0000000001508000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs ViKing-R2.exe
Source: ViKing-R2.exe, 00000000.00000003.2359095459.0000000003120000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuser32j% vs ViKing-R2.exe
Source: ViKing-R2.exe	Binary or memory string: OriginalFilename$ vs ViKing-R2.exe
Source: ViKing-R2.exe	Binary or memory string: OriginalFilenameWXOnlineHooker.exe vs ViKing-R2.exe
Source: ViKing-R2.exe	Binary or memory string: OriginalFilenameIATHook.dll vs ViKing-R2.exe
Source: ViKing-R2.exe	Binary or memory string: OriginalFilenameUpdaterHelper_.exe< vs ViKing-R2.exe
Source: ViKing-R2.exe	Binary or memory string: OriginalFilenamebszip.dll" vs ViKing-R2.exe
Source: ViKing-R2.exe	Binary or memory string: OriginalFilenameLZMA.dll, vs ViKing-R2.exe

Source: ViKing-R2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: ViKing-R2.exe	Binary string: H:\Device\HarddiskVolume6G:\Device\HarddiskVolume5F:\Device\HarddiskVolume4E:\Device\HarddiskVolume3D:\Device\HarddiskVolume2C:\Device\HarddiskVolume1Q@@@
Source: ViKing-R2.exe	Binary string: \Device\TLibShield\DosDevices\TLibShieldTLibShield: Installing
Source: ViKing-R2.exe	Binary string: \Device\HarddiskVolume6
Source: ViKing-R2.exe	Binary string: \Device\HarddiskVolume5
Source: ViKing-R2.exe	Binary string: \Device\HarddiskVolume4
Source: ViKing-R2.exe	Binary string: \Device\HarddiskVolume3
Source: ViKing-R2.exe	Binary string: \Device\HarddiskVolume2
Source: ViKing-R2.exe	Binary string: \Device\HarddiskVolume1
Source: ViKing-R2.exe	Binary string: \Device\TLibShield

Source: classification engine

Classification label: mal96.evad.winEXE@1/1@2/2

Source: C:\Users\user\Desktop\ViKing-R2.exe

File created: C:\Users\user\Desktop\libCzf.dll

Source: C:\Users\user\Desktop\ViKing-R2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: ViKing-R2.exe

Virustotal: Detection: 45%

Source: ViKing-R2.exe	String found in binary or memory: TLibShieldCtrl.exe -install -name NameofExe -reject NameofExe -uninstall -deprotect [-?]
Source: ViKing-R2.exe	String found in binary or memory: -install install driver
Source: ViKing-R2.exe	String found in binary or memory: Unknown exceptionbad array new lengthbad caststring too longinvalid stoi argumentstoi argument out of range(unknown)(unknown source location):%ld in function ': iostreamsystem:%dUnknown error (%d)std:unknownUnknown interop error %dbad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setstd: [ at ]No message text available for error %dasio.miscAlready openEnd of fileElement not foundThe descriptor does not fit into the select call's fd_setasio.misc errortsswinsockUsage: TLibShieldCtrl.exe -install -name NameofExe -reject NameofExe -uninstall -deprotect [-?] -install install driver -uninstall uninstall driver -name NameofExe protect/filter access to NameofExe -reject NameofExe prevents execution of NameofExe -deprotect unprotect/unfilter-iCALL POSE:\OSP\Windows-driver-samples-master\general\obcallback\control\main.cpp %d
Source: ViKing-R2.exe	String found in binary or memory: PCAUTODROP.BIN -addr=%s -port=%d -guid=%s -type=%d
Source: ViKing-R2.exe	String found in binary or memory: PCAUTODROP.BIN -addr=%s -port=%d -guid=%s -type=%dPCAUTODROP.BIN
Source: ViKing-R2.exe	String found in binary or memory: -addr
Source: ViKing-R2.exe	String found in binary or memory: <http://www.adeds.com - QQ:778716166> =-addr-port-guid-type127.0.0.1{1268EEDD-41FE-4e88-B5CE-33D2E1692024}

Source: C:\Users\user\Desktop\ViKing-R2.exe

File read: C:\Users\user\Desktop\ViKing-R2.exe

Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: ext-ms-win-gdi-desktop-l1-1-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Section loaded: olepro32.dll	Jump to behavior

Source: C:\Users\user\Desktop\ViKing-R2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Entry point lies outside standard sections

Source: ViKing-R2.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: ViKing-R2.exe

Static file information: File size 12681216 > 1048576

Source: ViKing-R2.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0xb0b000
Source: ViKing-R2.exe	Static PE information: Raw size of .sedata is bigger than: 0x100000 < 0x106000

Source:	Binary string: wkernel32.pdb source: ViKing-R2.exe, 00000000.00000003.2312707983.0000000001508000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: ViKing-R2.exe, 00000000.00000003.2217130178.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Terod\Documents\d2\Win7Debug\TLibShield64.pdb source: ViKing-R2.exe
Source:	Binary string: wntdll.pdb source: ViKing-R2.exe, 00000000.00000003.2217130178.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Terod\Documents\d2\Win7Debug\TLibShield32.pdb source: ViKing-R2.exe
Source:	Binary string: E:\OSP\Windows-driver-samples-master\general\obcallback\control\Release\TLibShieldCtrl.pdbf source: ViKing-R2.exe
Source:	Binary string: wuser32.pdb source: ViKing-R2.exe, 00000000.00000003.2359095459.0000000003120000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\OSP\Windows-driver-samples-master\general\obcallback\control\Release\TLibShieldCtrl.pdb source: ViKing-R2.exe
Source:	Binary string: wkernelbase.pdbUGP source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: ViKing-R2.exe, 00000000.00000003.2312707983.0000000001508000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdbUGP source: ViKing-R2.exe, 00000000.00000003.2359095459.0000000003120000.00000004.00000800.00020000.00000000.sdmp

Source: initial sample

Static PE information: section where entry point is pointing to: .sedata

PE file contains an invalid checksum

Source: libCzf.dll.0.dr

Static PE information: real checksum: 0x12096 should be: 0x1ec26

PE file contains sections with non-standard names

Source: ViKing-R2.exe	Static PE information: section name: .sedata
Source: ViKing-R2.exe	Static PE information: section name: .sedata

Source: ViKing-R2.exe

Static PE information: section name: .sedata entropy: 7.459508118890517

Drops PE files

Source: C:\Users\user\Desktop\ViKing-R2.exe

File created: C:\Users\user\Desktop\libCzf.dll

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Boot Survival

Source: C:\Users\user\Desktop\ViKing-R2.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Window searched: window name: Filemonclass	Jump to behavior

Source: C:\Users\user\Desktop\ViKing-R2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\ViKing-R2.exe

API/Special instruction interceptor: Address: F37685

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F2A9B4 second address: F2AA9C instructions: 0x00000000 rdtsc 0x00000002 mov edx, ebx 0x00000004 jmp 00007F1C39389402h 0x00000006 lea eax, dword ptr [00000000h+eax4] 0x0000000d setnb cl 0x00000010 lea ecx, dword ptr [00000000h+ebx4] 0x00000017 jmp 00007F1C393893DAh 0x00000019 cmc 0x0000001a jmp 00007F1C39389476h 0x0000001c mov ah, byte ptr [esp] 0x0000001f lea esp, dword ptr [esp+20h] 0x00000023 dec esi 0x00000024 not ecx 0x00000026 lea edx, dword ptr [edi+ebp] 0x00000029 jmp 00007F1C3938942Dh 0x0000002b setle dl 0x0000002e bt eax, eax 0x00000031 jc 00007F1C39389485h 0x00000033 push esp 0x00000034 pop word ptr [esp] 0x00000038 mov dx, word ptr [esp+01h] 0x0000003d xchg word ptr [esp], ax 0x00000041 lea esp, dword ptr [esp+02h] 0x00000045 call 00007F1C393895B3h 0x0000004a shr eax, 1Fh 0x0000004d add ecx, 9BD8A65Eh 0x00000053 xchg cx, ax 0x00000056 mov dx, B974h 0x0000005a mov ah, byte ptr [esp] 0x0000005d jmp 00007F1C3938940Fh 0x0000005f xchg dword ptr [esp], ebx 0x00000062 push ebp 0x00000063 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F35619 second address: F36692 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+1Ch], edi 0x00000006 lea ecx, dword ptr [ecx+edi] 0x00000009 jmp 00007F1C395684BDh 0x0000000b mov cx, dx 0x0000000e lea ecx, dword ptr [edx+ebx] 0x00000011 popad 0x00000012 mov dword ptr [eax], edx 0x00000014 bsf cx, sp 0x00000018 js 00007F1C395683EBh 0x0000001a jns 00007F1C39568477h 0x0000001c mov ax, E463h 0x00000020 mov cl, byte ptr [esp] 0x00000023 neg eax 0x00000025 call 00007F1C395693B6h 0x0000002a rcl edx, 00000000h 0x0000002d mov eax, dword ptr [esp] 0x00000030 jmp 00007F1C3956845Ah 0x00000032 lea ecx, dword ptr [esp+00006F25h] 0x00000039 bt ax, dx 0x0000003d xchg dword ptr [esp], esi 0x00000040 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F3781C second address: F378CC instructions: 0x00000000 rdtsc 0x00000002 mov cl, dh 0x00000004 mov dl, byte ptr [esp] 0x00000007 jmp 00007F1C393894A3h 0x00000009 mov esi, dword ptr [edi] 0x0000000b neg ecx 0x0000000d je 00007F1C39389436h 0x0000000f lea edx, dword ptr [00000000h+eax*4] 0x00000016 mov dh, 8Eh 0x00000018 jmp 00007F1C3938946Ch 0x0000001a add edi, 04h 0x0000001d mov cx, word ptr [esp] 0x00000021 mov edx, FE7663B8h 0x00000026 jmp 00007F1C3938942Ah 0x00000028 xchg ah, dh 0x0000002a mov ah, bl 0x0000002c jmp 00007F1C393894E5h 0x00000031 mov cl, D4h 0x00000033 lea eax, dword ptr [ecx-000060CCh] 0x00000039 call 00007F1C3938940Ah 0x0000003e mov ecx, 5B6801A9h 0x00000043 mov dword ptr [esp], ebx 0x00000046 clc 0x00000047 jmp 00007F1C3938946Ch 0x00000049 jns 00007F1C39389415h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F378CC second address: F378CE instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F427C8 second address: F428E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C39389463h 0x00000004 dec esi 0x00000005 btc eax, edi 0x00000008 jmp 00007F1C39389499h 0x0000000a jo 00007F1C3938940Dh 0x0000000c mov dh, ch 0x0000000e mov ax, word ptr [esp] 0x00000012 jmp 00007F1C39389432h 0x00000014 mov ax, dx 0x00000017 sub esp, 0Bh 0x0000001a mov dl, byte ptr [esp+06h] 0x0000001e jmp 00007F1C39389429h 0x00000020 sub esp, 02h 0x00000023 jmp 00007F1C39389507h 0x00000028 bsf dx, dx 0x0000002c jns 00007F1C393893E5h 0x0000002e pop dx 0x00000030 sub esp, 1Ch 0x00000033 jmp 00007F1C39389435h 0x00000035 lea esp, dword ptr [esp+03h] 0x00000039 jmp 00007F1C3938947Fh 0x0000003b rol cl, 00000000h 0x0000003e xor edx, 46F3B00Ah 0x00000044 jnbe 00007F1C39389431h 0x00000046 setb dl 0x00000049 jmp 00007F1C3938948Dh 0x0000004b mov ax, di 0x0000004e sub esp, 12h 0x00000051 lea edx, dword ptr [00000000h+edx*4] 0x00000058 jmp 00007F1C3938948Ah 0x0000005a mov byte ptr [esp+0Dh], ch 0x0000005e xchg ax, dx 0x00000060 lea esp, dword ptr [esp+02h] 0x00000064 lea esp, dword ptr [esp+34h] 0x00000068 jmp 00007F1C3938942Ch 0x0000006a sub cl, FFFFFF9Ch 0x0000006d bsr eax, ecx 0x00000070 jno 00007F1C39389470h 0x00000072 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F428E8 second address: F42931 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [ebp-00008B49h] 0x00000008 jmp 00007F1C39568793h 0x0000000d neg dl 0x0000000f lea edx, dword ptr [eax+ebx] 0x00000012 neg cl 0x00000014 jmp 00007F1C39568338h 0x00000019 xor dx, 6196h 0x0000001e jng 00007F1C395682FBh 0x00000024 setne al 0x00000027 push esp 0x00000028 push dword ptr [esp+02h] 0x0000002c xchg byte ptr [esp+05h], al 0x00000030 mov dx, FDC8h 0x00000034 jmp 00007F1C3956820Eh 0x00000039 lea esp, dword ptr [esp+08h] 0x0000003d neg cl 0x0000003f rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F2800E second address: F28095 instructions: 0x00000000 rdtsc 0x00000002 lea ecx, dword ptr [ebx+esi] 0x00000005 adc dh, bh 0x00000007 jnbe 00007F1C39389428h 0x00000009 jmp 00007F1C3938949Ah 0x0000000b dec eax 0x0000000c sub esp, 08h 0x0000000f push dword ptr [esp+06h] 0x00000013 jmp 00007F1C39389400h 0x00000015 pop dword ptr [esp+01h] 0x00000019 pop word ptr [esp+02h] 0x0000001e setnle ah 0x00000021 lea esp, dword ptr [esp+02h] 0x00000025 jmp 00007F1C393894C1h 0x00000027 lea esp, dword ptr [esp+04h] 0x0000002b xor ebp, 7F5A9E0Eh 0x00000031 not ch 0x00000033 sub ecx, 8F082D72h 0x00000039 jbe 00007F1C39389428h 0x0000003b lea eax, dword ptr [eax+eax] 0x0000003e neg ax 0x00000041 setnle dl 0x00000044 dec dh 0x00000046 not ch 0x00000048 jmp 00007F1C39389494h 0x0000004a dec ebp 0x0000004b jmp 00007F1C39389423h 0x0000004d inc cx 0x0000004f jnl 00007F1C39389438h 0x00000051 not ah 0x00000053 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F34550 second address: F345B5 instructions: 0x00000000 rdtsc 0x00000002 bswap edx 0x00000004 call 00007F1C39568446h 0x00000009 setl ah 0x0000000c xchg eax, edx 0x0000000d mov al, byte ptr [esp] 0x00000010 mov dh, bh 0x00000012 xchg dword ptr [esp], ecx 0x00000015 jmp 00007F1C395684A8h 0x00000017 not edx 0x00000019 pushfd 0x0000001a lea esp, dword ptr [esp+02h] 0x0000001e mov edx, dword ptr [esp] 0x00000021 mov dh, dl 0x00000023 lea esp, dword ptr [esp+02h] 0x00000027 jmp 00007F1C39568401h 0x00000029 lea ecx, dword ptr [ecx-00000025h] 0x0000002f bsf eax, ebp 0x00000032 lea eax, dword ptr [00000000h+ebp*4] 0x00000039 xchg dword ptr [esp], ecx 0x0000003c mov edx, dword ptr [esp] 0x0000003f rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F345B5 second address: F346A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C39389422h 0x00000004 bsr dx, sp 0x00000008 mov al, dh 0x0000000a push dword ptr [esp] 0x0000000d retn 0004h 0x00000010 bsf dx, si 0x00000014 xchg dword ptr [esp+08h], eax 0x00000018 jmp 00007F1C3938950Fh 0x0000001d mov ax, word ptr [esp+1Fh] 0x00000022 jmp 00007F1C39389430h 0x00000024 cmc 0x00000025 rol ecx, 00000000h 0x00000028 bswap edx 0x0000002a mov eax, 595FFF3Bh 0x0000002f lea edx, dword ptr [00000000h+ecx*4] 0x00000036 jmp 00007F1C39389460h 0x00000038 mov dword ptr [edi], ecx 0x0000003a mov eax, dword ptr [esp] 0x0000003d mov ecx, CEC89CB5h 0x00000042 mov cl, byte ptr [esp] 0x00000045 jmp 00007F1C393894E2h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F368B9 second address: F36BB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C39568420h 0x00000004 mov al, byte ptr [esp] 0x00000007 jmp 00007F1C3956845Fh 0x00000009 add edi, 04h 0x0000000c bsf cx, ax 0x00000010 jp 00007F1C39568ED3h 0x00000016 lea eax, dword ptr [edi+00000548h] 0x0000001c jmp 00007F1C39567C99h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F39806 second address: F2800E instructions: 0x00000000 rdtsc 0x00000002 mov dx, 2C96h 0x00000006 mov ch, bl 0x00000008 jmp 00007F1C3938B25Ah 0x0000000d xchg dword ptr [esp], eax 0x00000010 cmp ecx, 2F7A7201h 0x00000016 mov edx, dword ptr [esp] 0x00000019 xchg dl, ch 0x0000001b dec edx 0x0000001c mov cl, 24h 0x0000001e jmp 00007F1C393877DAh 0x00000023 lea eax, dword ptr [eax+01h] 0x00000026 rol ecx, cl 0x00000028 xchg ecx, edx 0x0000002a mov edx, ebx 0x0000002c xchg dword ptr [esp], eax 0x0000002f sub esp, 1Ch 0x00000032 jmp 00007F1C393893CDh 0x00000037 bswap eax 0x00000039 dec edx 0x0000003a pop dx 0x0000003c add esp, 16h 0x0000003f push dword ptr [esp+04h] 0x00000043 retn 0008h 0x00000046 inc cx 0x00000048 jno 00007F1C39389585h 0x0000004e jmp 00007F1C3938941Eh 0x00000050 xchg ax, cx 0x00000052 jmp 00007F1C39377BD4h 0x00000057 mov ebx, ebp 0x00000059 jmp 00007F1C39389400h 0x0000005b sets cl 0x0000005e mov ch, byte ptr [esp] 0x00000061 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F37599 second address: F37685 instructions: 0x00000000 rdtsc 0x00000002 mov dx, 87B0h 0x00000006 jmp 00007F1C39568475h 0x00000008 mov dx, word ptr [esp] 0x0000000c jmp 00007F1C39568509h 0x00000011 mov dx, 57B4h 0x00000015 mov cx, word ptr [esp] 0x00000019 lea ebp, dword ptr [00000000h+ecx*4] 0x00000020 mov ebp, dword ptr [esp] 0x00000023 mov cx, DB09h 0x00000027 jmp 00007F1C395683C4h 0x00000029 mov dx, ax 0x0000002c dec dh 0x0000002e jbe 00007F1C39568425h 0x00000030 mov ax, 646Ah 0x00000034 jmp 00007F1C3956845Dh 0x00000036 lea esp, dword ptr [esp+04h] 0x0000003a push ebx 0x0000003b push word ptr [esp+02h] 0x00000040 jmp 00007F1C3956841Bh 0x00000042 dec ecx 0x00000043 jmp 00007F1C3956847Ch 0x00000045 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F37685 second address: F3764F instructions: 0x00000000 rdtsc 0x00000002 lea esp, dword ptr [esp+02h] 0x00000006 add esp, 04h 0x00000009 jp 00007F1C3938940Dh 0x0000000b jnp 00007F1C3938940Bh 0x0000000d jmp 00007F1C39389474h 0x0000000f mov ebx, dword ptr [esp] 0x00000012 not si 0x00000015 not esi 0x00000017 lea esp, dword ptr [esp+04h] 0x0000001b mov dh, ah 0x0000001d jmp 00007F1C39389420h 0x0000001f mov ch, CDh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F3764F second address: F2800E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C395684BEh 0x00000004 pop esi 0x00000005 jmp 00007F1C39558DC6h 0x0000000a mov ebx, ebp 0x0000000c jmp 00007F1C395683F0h 0x0000000e sets cl 0x00000011 mov ch, byte ptr [esp] 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F72D2A second address: F72D49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C39389466h 0x00000004 lea edx, dword ptr [00000000h+eax*4] 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F72D49 second address: F72EF7 instructions: 0x00000000 rdtsc 0x00000002 mov dx, word ptr [esp] 0x00000006 mov edx, 8DD8D877h 0x0000000b xchg dword ptr [esp+24h], ebp 0x0000000f jmp 00007F1C39568475h 0x00000011 or edx, C95B0182h 0x00000017 mov dx, 3462h 0x0000001b cmp ax, cx 0x0000001e mov dx, word ptr [esp] 0x00000022 push dword ptr [esp+24h] 0x00000026 retn 0028h 0x00000029 lea edx, dword ptr [00000000h+edi4] 0x00000030 call 00007F1C395684F3h 0x00000035 lea eax, dword ptr [00000000h+eax4] 0x0000003c not ax 0x0000003f mov eax, dword ptr [esp] 0x00000042 xchg dh, dl 0x00000044 xchg dword ptr [esp], ecx 0x00000047 jmp 00007F1C395683FCh 0x00000049 xchg al, ah 0x0000004b not ah 0x0000004d bt dx, ax 0x00000051 bsr dx, cx 0x00000055 lea ecx, dword ptr [ecx+0Ah] 0x00000058 mov eax, 2F6AAD75h 0x0000005d jmp 00007F1C39568405h 0x0000005f not edx 0x00000061 mov al, ch 0x00000063 bsr edx, esp 0x00000066 xchg dword ptr [esp], ecx 0x00000069 sets al 0x0000006c lea edx, dword ptr [esp+edx] 0x0000006f jmp 00007F1C3956846Dh 0x00000071 adc ax, 0000576Bh 0x00000075 push dword ptr [esp] 0x00000078 retn 0004h 0x0000007b mov ah, bh 0x0000007d jmp 00007F1C395685BBh 0x00000082 mov word ptr [edi], cx 0x00000085 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F574E4 second address: F346A1 instructions: 0x00000000 rdtsc 0x00000002 mov edx, dword ptr [esp] 0x00000005 jmp 00007F1C39389430h 0x00000007 neg dx 0x0000000a jno 00007F1C39389488h 0x0000000c mov ecx, edi 0x0000000e mov edi, dword ptr [ecx] 0x00000010 jmp 00007F1C393665E9h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F36852 second address: F36BB6 instructions: 0x00000000 rdtsc 0x00000002 mov al, byte ptr [esp] 0x00000005 jmp 00007F1C395684A6h 0x00000007 add edi, 04h 0x0000000a bsf cx, ax 0x0000000e jp 00007F1C39568ED3h 0x00000014 lea eax, dword ptr [edi+00000548h] 0x0000001a jmp 00007F1C39567C99h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F27B51 second address: F2800E instructions: 0x00000000 rdtsc 0x00000002 lea esi, dword ptr [esp+ebx] 0x00000005 mov ebp, dword ptr [esp] 0x00000008 bswap eax 0x0000000a jmp 00007F1C39389456h 0x0000000c mov ebp, dword ptr [esp+2Ch] 0x00000010 lea esi, dword ptr [00000000h+eax4] 0x00000017 mov dh, B5h 0x00000019 mov eax, ebp 0x0000001b call 00007F1C3938947Bh 0x00000020 jmp 00007F1C39389438h 0x00000022 lea edi, dword ptr [esp+04h] 0x00000026 cmc 0x00000027 jns 00007F1C3938947Eh 0x00000029 xchg ebx, edx 0x0000002b bswap eax 0x0000002d sub esp, 000000BCh 0x00000033 mov esi, esp 0x00000035 mov al, byte ptr [esp] 0x00000038 jmp 00007F1C39389456h 0x0000003a lea ebx, dword ptr [00000000h+esi4] 0x00000041 neg edx 0x00000043 ja 00007F1C393898CFh 0x00000049 mov bh, byte ptr [esp] 0x0000004c jmp 00007F1C393898C9h 0x00000051 mov ebx, ebp 0x00000053 jmp 00007F1C39389400h 0x00000055 sets cl 0x00000058 mov ch, byte ptr [esp] 0x0000005b rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F34512 second address: F346A1 instructions: 0x00000000 rdtsc 0x00000002 bswap edx 0x00000004 bsf dx, si 0x00000008 xchg dword ptr [esp+08h], eax 0x0000000c mov ax, word ptr [esp+1Fh] 0x00000011 jmp 00007F1C395684FDh 0x00000016 cmc 0x00000017 rol ecx, 00000000h 0x0000001a bswap edx 0x0000001c mov eax, 595FFF3Bh 0x00000021 lea edx, dword ptr [00000000h+ecx*4] 0x00000028 jmp 00007F1C39568450h 0x0000002a mov dword ptr [edi], ecx 0x0000002c mov eax, dword ptr [esp] 0x0000002f mov ecx, CEC89CB5h 0x00000034 mov cl, byte ptr [esp] 0x00000037 jmp 00007F1C395684D2h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F657CE second address: F657E7 instructions: 0x00000000 rdtsc 0x00000002 mov dx, sp 0x00000005 lea eax, dword ptr [00000000h+eax4] 0x0000000c jmp 00007F1C3938946Eh 0x0000000e xchg dword ptr [esp], edx 0x00000011 mov ah, byte ptr [esp] 0x00000014 push si 0x00000016 xchg cx, ax 0x00000019 mov cx, 107Fh 0x0000001d xchg word ptr [esp], cx 0x00000021 jmp 00007F1C39389486h 0x00000023 lea esp, dword ptr [esp+02h] 0x00000027 lea edx, dword ptr [edx+54h] 0x0000002a setnp cl 0x0000002d bswap eax 0x0000002f lea eax, dword ptr [00000000h+ebx4] 0x00000036 mov cx, dx 0x00000039 jmp 00007F1C39389424h 0x0000003b bswap ecx 0x0000003d xchg dword ptr [esp], edx 0x00000040 lea eax, dword ptr [00000000h+edx4] 0x00000047 lea eax, dword ptr [edx+ebx] 0x0000004a jmp 00007F1C39389485h 0x0000004c mov edx, 65381AEFh 0x00000051 call 00007F1C39389435h 0x00000056 lea eax, dword ptr [00000000h+edx4] 0x0000005d push dword ptr [esp+04h] 0x00000061 retn 0008h 0x00000064 pop dword ptr [edi] 0x00000066 setb ch 0x00000069 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F72ECC second address: F72ED6 instructions: 0x00000000 rdtsc 0x00000002 mov edx, eax 0x00000004 jmp 00007F1C39568446h 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F83EC9 second address: F346A1 instructions: 0x00000000 rdtsc 0x00000002 sub esp, 08h 0x00000005 jnbe 00007F1C3938942Fh 0x00000007 mov byte ptr [esp+05h], al 0x0000000b jmp 00007F1C393894A0h 0x0000000d sub edi, 08h 0x00000010 stc 0x00000011 jne 00007F1C393893FEh 0x00000013 push eax 0x00000014 jmp 00007F1C39389472h 0x00000016 pop word ptr [esp] 0x0000001a lea esp, dword ptr [esp+02h] 0x0000001e xchg edx, ecx 0x00000020 jmp 00007F1C39389456h 0x00000022 push bx 0x00000024 pushfd 0x00000025 lea esp, dword ptr [esp] 0x00000028 lea esp, dword ptr [esp+02h] 0x0000002c jmp 00007F1C39389488h 0x0000002e mov dword ptr [edi], ecx 0x00000030 dec ecx 0x00000031 jno 00007F1C39389437h 0x00000033 setnle cl 0x00000036 jmp 00007F1C39389487h 0x00000038 bswap ecx 0x0000003a mov cx, word ptr [esp] 0x0000003e mov dword ptr [edi+04h], eax 0x00000041 jmp 00007F1C393895C8h 0x00000046 clc 0x00000047 jnl 00007F1C39389341h 0x0000004d rcl ecx, cl 0x0000004f ror al, cl 0x00000051 jmp 00007F1C39339B2Eh 0x00000056 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F6F66D second address: F6F66F instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F8ECF9 second address: F8EDC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1C39389511h 0x00000007 not eax 0x00000009 mov edx, edi 0x0000000b mov cx, word ptr [edx] 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: FAC844 second address: FAC875 instructions: 0x00000000 rdtsc 0x00000002 not ecx 0x00000004 jmp 00007F1C3956846Ah 0x00000006 sub edi, 02h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F322B8 second address: F322BA instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: F0C0EA second address: F0C135 instructions: 0x00000000 rdtsc 0x00000002 mov byte ptr [esp+02h], dh 0x00000006 xchg dword ptr [esp+04h], ebp 0x0000000a jmp 00007F1C3956847Eh 0x0000000c mov ecx, dword ptr [esp] 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ViKing-R2.exe	RDTSC instruction interceptor: First address: FF7E17 second address: FF7DB4 instructions: 0x00000000 rdtsc 0x00000002 xchg dx, ax 0x00000005 mov ah, EEh 0x00000007 lea edx, dword ptr [ebx+ebp] 0x0000000a not ah 0x0000000c jmp 00007F1C393893D6h 0x0000000e mov ch, byte ptr [esp] 0x00000011 mov dx, DB0Bh 0x00000015 mov ecx, dword ptr [esp+04h] 0x00000019 rdtsc

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\ViKing-R2.exe	Window / User API: threadDelayed 723	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Window / User API: threadDelayed 712	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Window / User API: threadDelayed 795	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Window / User API: threadDelayed 752	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Window / User API: threadDelayed 858	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\ViKing-R2.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\libCzf.dll

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\ViKing-R2.exe TID: 1576	Thread sleep time: -1446000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe TID: 4080	Thread sleep time: -1424000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe TID: 5636	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe TID: 6340	Thread sleep time: -252000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe TID: 2820	Thread sleep time: -1590000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe TID: 5456	Thread sleep time: -80000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe TID: 6592	Thread sleep time: -1504000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe TID: 4292	Thread sleep time: -1716000s >= -30000s	Jump to behavior

Source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: ViKing-R2.exe, 00000000.00000003.2537778812.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ViKing-R2.exe, 00000000.00000003.2267744924.0000000003127000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: ViKing-R2.exe, 00000000.00000003.2537778812.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0\|0

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\ViKing-R2.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\ViKing-R2.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\ViKing-R2.exe	Open window title or class name: filemonclass

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\ViKing-R2.exe

File opened: NTICE

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\ViKing-R2.exe

Process queried: DebugPort

Enables debug privileges

Source: C:\Users\user\Desktop\ViKing-R2.exe

Process token adjusted: Debug