Analysis Report w73FtMA4ZTl9NFm.exe

AV Detection:

Found malware configuration

Source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.naiping8.com/blm/"], "decoy": ["basilaws.com", "laesses.com", "isematsudai.com", "cafperfect.com", "listocalistoanimation.com", "bikesofthefuture.com", "sweette.com", "instagramhelpsnow.com", "wuxians.com", "canadianpayday.loans", "tiklaulan.xyz", "marketingbuddhi.com", "centrocaninopochs.com", "doodletrends.com", "praiship.com", "alghuta.com", "kompramania.com", "thenewdawncompany.com", "shopthegoodbar.com", "emergencyuavsolutions.com", "mayratienecasas.com", "gitaffiliate.com", "jdanielfit.com", "raisingarrowsbirthservices.com", "shirleyvansteenis.com", "jrlsports.com", "untiedpockets.com", "dingdongpaw.com", "skytrustconstruction.com", "shainamgmtsolns.com", "findinkjams.com", "erisedu.com", "marikell.com", "nelivo.com", "nyatigroupera.net", "herbyvet.com", "satviksumi.com", "earthnetic.com", "coronamimos.com", "neurologistaandreialamberti.com", "tom-kiesel.com", "creativegrowthllc.com", "unitrackerindo.com", "bgetaway.com", "humanmarijuana.com", "somuch2dohere.com", "gpt4every.com", "hunandanei.com", "honu360vr.com", "abn-co-host-listing-46731.xyz", "sitewebinfo.com", "iqiongtian.com", "evolvecommpr.com", "4980061061670012.xyz", "checkoutmyimages.com", "shifamedico.com", "tonygwynnclassic.com", "shopalndrinks.com", "nawabebiryanis.com", "productionlads.com", "zhjuku.com", "hbchuangjie.com", "fleurdelyshospitality.net", "tiffanybluandyou.com"]}

Multi AV Scanner detection for submitted file

Source: w73FtMA4ZTl9NFm.exe	Virustotal: Detection: 30%			Perma Link
Source: w73FtMA4ZTl9NFm.exe	ReversingLabs: Detection: 44%

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.w73FtMA4ZTl9NFm.exe.46875f8.3.raw.unpack, type: UNPACKEDPE

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: w73FtMA4ZTl9NFm.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: w73FtMA4ZTl9NFm.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: cmstp.pdbGCTL source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.288143631.0000000001910000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.287846325.00000000016BF000.00000040.00000001.sdmp, cmstp.exe, 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.287846325.00000000016BF000.00000040.00000001.sdmp, cmstp.exe
Source:	Binary string: cmstp.pdb source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.288143631.0000000001910000.00000040.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		1_2_0C1482B8
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		1_2_0C1482B3
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		1_2_0C149390
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		1_2_0C149381
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		1_2_0C1483E4
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 4x nop then pop edi		3_2_00416C8C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop edi		7_2_00696C8C

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49736 -> 64.190.62.111:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49736 -> 64.190.62.111:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49736 -> 64.190.62.111:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.naiping8.com/blm/

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /blm/?v4=jT8U/4hmrcCGqX5zF6RLU3xaP16cys1ENKtgh6K33uf7HOVcxmeLoGjIinA45QceqzYG68+/fQ==&Jr=V48DzvNH HTTP/1.1Host: www.kompramania.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 198.54.117.212 198.54.117.212

Downloads files from webservers via HTTP

Source: global traffic

HTTP traffic detected: GET /blm/?v4=jT8U/4hmrcCGqX5zF6RLU3xaP16cys1ENKtgh6K33uf7HOVcxmeLoGjIinA45QceqzYG68+/fQ==&Jr=V48DzvNH HTTP/1.1Host: www.kompramania.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: clientconfig.passport.net

URLs found in memory or binary data

Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246739537.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000002.524154545.000000000686B000.00000004.00000001.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: w73FtMA4ZTl9NFm.exe	String found in binary or memory: https://github.com/unguest
Source: w73FtMA4ZTl9NFm.exe	String found in binary or memory: https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGProperty
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.w73FtMA4ZTl9NFm.exe.46875f8.3.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.w73FtMA4ZTl9NFm.exe.46875f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.w73FtMA4ZTl9NFm.exe.46875f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00419D50 NtCreateFile,		3_2_00419D50
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00419E00 NtReadFile,		3_2_00419E00
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00419E80 NtClose,		3_2_00419E80
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00419F30 NtAllocateVirtualMemory,		3_2_00419F30
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00419D4A NtCreateFile,		3_2_00419D4A
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00419DFA NtReadFile,		3_2_00419DFA
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00419E7A NtClose,		3_2_00419E7A
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00419F2A NtAllocateVirtualMemory,		3_2_00419F2A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639860 NtQuerySystemInformation,LdrInitializeThunk,		7_2_04639860
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639840 NtDelayExecution,LdrInitializeThunk,		7_2_04639840
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639540 NtReadFile,LdrInitializeThunk,		7_2_04639540
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639910 NtAdjustPrivilegesToken,LdrInitializeThunk,		7_2_04639910
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046395D0 NtClose,LdrInitializeThunk,		7_2_046395D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046399A0 NtCreateSection,LdrInitializeThunk,		7_2_046399A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639660 NtAllocateVirtualMemory,LdrInitializeThunk,		7_2_04639660
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639A50 NtCreateFile,LdrInitializeThunk,		7_2_04639A50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639650 NtQueryValueKey,LdrInitializeThunk,		7_2_04639650
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046396E0 NtFreeVirtualMemory,LdrInitializeThunk,		7_2_046396E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046396D0 NtCreateKey,LdrInitializeThunk,		7_2_046396D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639710 NtQueryInformationToken,LdrInitializeThunk,		7_2_04639710
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639FE0 NtCreateMutant,LdrInitializeThunk,		7_2_04639FE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639780 NtMapViewOfSection,LdrInitializeThunk,		7_2_04639780
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0463B040 NtSuspendThread,		7_2_0463B040
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639820 NtEnumerateKey,		7_2_04639820
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046398F0 NtReadVirtualMemory,		7_2_046398F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046398A0 NtWriteVirtualMemory,		7_2_046398A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639560 NtWriteFile,		7_2_04639560
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639950 NtQueueApcThread,		7_2_04639950
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639520 NtWaitForSingleObject,		7_2_04639520
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0463AD30 NtSetContextThread,		7_2_0463AD30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046395F0 NtQueryInformationFile,		7_2_046395F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046399D0 NtCreateProcessEx,		7_2_046399D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639670 NtQueryInformationProcess,		7_2_04639670
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639A20 NtResumeThread,		7_2_04639A20
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639A00 NtProtectVirtualMemory,		7_2_04639A00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639610 NtEnumerateValueKey,		7_2_04639610
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639A10 NtQuerySection,		7_2_04639A10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639A80 NtOpenDirectoryObject,		7_2_04639A80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639760 NtOpenProcess,		7_2_04639760
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639770 NtSetInformationFile,		7_2_04639770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0463A770 NtOpenThread,		7_2_0463A770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639730 NtQueryVirtualMemory,		7_2_04639730
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639B00 NtSetValueKey,		7_2_04639B00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0463A710 NtOpenProcessToken,		7_2_0463A710
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046397A0 NtUnmapViewOfSection,		7_2_046397A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0463A3B0 NtGetContextThread,		7_2_0463A3B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00699D50 NtCreateFile,		7_2_00699D50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00699E00 NtReadFile,		7_2_00699E00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00699E80 NtClose,		7_2_00699E80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00699F30 NtAllocateVirtualMemory,		7_2_00699F30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00699D4A NtCreateFile,		7_2_00699D4A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00699DFA NtReadFile,		7_2_00699DFA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00699E7A NtClose,		7_2_00699E7A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00699F2A NtAllocateVirtualMemory,		7_2_00699F2A

Detected potential crypto function

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_033BC3A0		1_2_033BC3A0
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_033BA758		1_2_033BA758
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C146484		1_2_0C146484
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C141CC8		1_2_0C141CC8
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C1417F8		1_2_0C1417F8
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C148B30		1_2_0C148B30
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C141CB7		1_2_0C141CB7
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C146503		1_2_0C146503
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C145EB3		1_2_0C145EB3
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C145EB8		1_2_0C145EB8
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C140F10		1_2_0C140F10
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C140F09		1_2_0C140F09
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C141FB0		1_2_0C141FB0
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C141FAD		1_2_0C141FAD
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C1417E8		1_2_0C1417E8
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C143823		1_2_0C143823
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C1408D3		1_2_0C1408D3
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C140908		1_2_0C140908
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C143205		1_2_0C143205
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C143208		1_2_0C143208
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C1462B0		1_2_0C1462B0
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C1462AD		1_2_0C1462AD
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00401030		3_2_00401030
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_0041DB46		3_2_0041DB46
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_0041D357		3_2_0041D357
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_0041D5DD		3_2_0041D5DD
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00409DEB		3_2_00409DEB
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00402D90		3_2_00402D90
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_0041DE05		3_2_0041DE05
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00409E30		3_2_00409E30
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_0041DE9C		3_2_0041DE9C
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_0041D701		3_2_0041D701
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_0041DFE3		3_2_0041DFE3
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00402FB0		3_2_00402FB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1002		7_2_046B1002
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460841F		7_2_0460841F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C28EC		7_2_046C28EC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046220A0		7_2_046220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C20A8		7_2_046C20A8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460B090		7_2_0460B090
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C1D55		7_2_046C1D55
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04614120		7_2_04614120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FF900		7_2_045FF900
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C2D07		7_2_046C2D07
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F0D20		7_2_045F0D20
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460D5E0		7_2_0460D5E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C25DD		7_2_046C25DD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04622581		7_2_04622581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04616E30		7_2_04616E30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C2EF7		7_2_046C2EF7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C22AE		7_2_046C22AE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C2B28		7_2_046C2B28
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C1FF1		7_2_046C1FF1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046BDBD2		7_2_046BDBD2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462EBB0		7_2_0462EBB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0069DB46		7_2_0069DB46
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00689DEB		7_2_00689DEB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0069D5D7		7_2_0069D5D7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00682D90		7_2_00682D90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00689E30		7_2_00689E30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0069DE05		7_2_0069DE05
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0069DE9C		7_2_0069DE9C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0069D702		7_2_0069D702
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0069DFE3		7_2_0069DFE3
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00682FB0		7_2_00682FB0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: String function: 045FB150 appears 35 times

PE file contains strange resources

Source: w73FtMA4ZTl9NFm.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: w73FtMA4ZTl9NFm.exe	Binary or memory string: OriginalFilename vs w73FtMA4ZTl9NFm.exe
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs w73FtMA4ZTl9NFm.exe
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000003.241311005.0000000004753000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs w73FtMA4ZTl9NFm.exe
Source: w73FtMA4ZTl9NFm.exe	Binary or memory string: OriginalFilename vs w73FtMA4ZTl9NFm.exe
Source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.288143631.0000000001910000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCMSTP.EXE` vs w73FtMA4ZTl9NFm.exe
Source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.287846325.00000000016BF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs w73FtMA4ZTl9NFm.exe
Source: w73FtMA4ZTl9NFm.exe	Binary or memory string: OriginalFilenameImporterCallback.exe6 vs w73FtMA4ZTl9NFm.exe

Uses 32bit PE files

Source: w73FtMA4ZTl9NFm.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses a Windows Living Off The Land Binaries (LOL bins)

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe

Yara signature match

Source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.w73FtMA4ZTl9NFm.exe.46875f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.w73FtMA4ZTl9NFm.exe.46875f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: w73FtMA4ZTl9NFm.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@4/1

Creates files inside the user directory

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\w73FtMA4ZTl9NFm.exe.log

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_01

PE file has an executable .text section and no other executable section

Source: w73FtMA4ZTl9NFm.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

SQL strings found in memory and binary data

Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Sample is known by Antivirus

Source: w73FtMA4ZTl9NFm.exe	Virustotal: Detection: 30%
Source: w73FtMA4ZTl9NFm.exe	ReversingLabs: Detection: 44%

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe 'C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe'
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process created: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process created: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe'			Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Source: w73FtMA4ZTl9NFm.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: w73FtMA4ZTl9NFm.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: cmstp.pdbGCTL source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.288143631.0000000001910000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.287846325.00000000016BF000.00000040.00000001.sdmp, cmstp.exe, 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.287846325.00000000016BF000.00000040.00000001.sdmp, cmstp.exe
Source:	Binary string: cmstp.pdb source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.288143631.0000000001910000.00000040.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_00FD94E5 push cs; iretd		1_2_00FD94E6
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_00FD9485 push cs; ret		1_2_00FD9492
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00404A36 push edi; iretd		3_2_00404A38
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00417296 push ebx; iretd		3_2_0041729B
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00409BAC push es; ret		3_2_00409BAD
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_0041CEF2 push eax; ret		3_2_0041CEF8
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_0041CEFB push eax; ret		3_2_0041CF62
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_0041CEA5 push eax; ret		3_2_0041CEF8
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_0041CF5C push eax; ret		3_2_0041CF62
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00B09485 push cs; ret		3_2_00B09492
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00B094E5 push cs; iretd		3_2_00B094E6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0464D0D1 push ecx; ret		7_2_0464D0E4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00684A36 push edi; iretd		7_2_00684A38
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00697296 push ebx; iretd		7_2_0069729B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0069D3F6 pushad ; ret		7_2_0069D3F7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00689BAC push es; ret		7_2_00689BAD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0069D51B pushfd ; retf		7_2_0069D51C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0069CEFB push eax; ret		7_2_0069CF62
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0069CEF2 push eax; ret		7_2_0069CEF8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0069CEA5 push eax; ret		7_2_0069CEF8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0069CF5C push eax; ret		7_2_0069CF62

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 7.93272076919

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xED

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: w73FtMA4ZTl9NFm.exe PID: 3764, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 00000000006898E4 second address: 00000000006898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 0000000000689B4E second address: 0000000000689B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

Code function: 3_2_00409A80 rdtsc

3_2_00409A80

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe TID: 4828	Thread sleep time: -103651s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe TID: 4660	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 5112	Thread sleep count: 36 > 30			Jump to behavior
Source: C:\Windows\explorer.exe TID: 5112	Thread sleep time: -72000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 6404	Thread sleep time: -65000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Contains medium sleeps (>= 30s)

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Thread delayed: delay time: 103651			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000004.00000000.272467225.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000004.00000000.272467225.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.272641165.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000002.523676868.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000004.00000000.272641165.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000004.00000000.260612943.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: explorer.exe, 00000004.00000000.272641165.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000004.00000000.272543308.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000004.00000000.272467225.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: 30d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000004.00000000.272543308.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.265973100.00000000069DA000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD002
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000004.00000002.523676868.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000002.523676868.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000004.00000002.523676868.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

Code function: 3_2_00409A80 rdtsc

3_2_00409A80

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

Code function: 3_2_0040ACC0 LdrLoadDll,

3_2_0040ACC0

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461746D mov eax, dword ptr fs:[00000030h]		7_2_0461746D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B2073 mov eax, dword ptr fs:[00000030h]		7_2_046B2073
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C1074 mov eax, dword ptr fs:[00000030h]		7_2_046C1074
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462A44B mov eax, dword ptr fs:[00000030h]		7_2_0462A44B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04610050 mov eax, dword ptr fs:[00000030h]		7_2_04610050
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04610050 mov eax, dword ptr fs:[00000030h]		7_2_04610050
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0468C450 mov eax, dword ptr fs:[00000030h]		7_2_0468C450
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0468C450 mov eax, dword ptr fs:[00000030h]		7_2_0468C450
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460B02A mov eax, dword ptr fs:[00000030h]		7_2_0460B02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460B02A mov eax, dword ptr fs:[00000030h]		7_2_0460B02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460B02A mov eax, dword ptr fs:[00000030h]		7_2_0460B02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460B02A mov eax, dword ptr fs:[00000030h]		7_2_0460B02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462BC2C mov eax, dword ptr fs:[00000030h]		7_2_0462BC2C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462002D mov eax, dword ptr fs:[00000030h]		7_2_0462002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462002D mov eax, dword ptr fs:[00000030h]		7_2_0462002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462002D mov eax, dword ptr fs:[00000030h]		7_2_0462002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462002D mov eax, dword ptr fs:[00000030h]		7_2_0462002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462002D mov eax, dword ptr fs:[00000030h]		7_2_0462002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C740D mov eax, dword ptr fs:[00000030h]		7_2_046C740D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C740D mov eax, dword ptr fs:[00000030h]		7_2_046C740D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C740D mov eax, dword ptr fs:[00000030h]		7_2_046C740D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]		7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]		7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]		7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]		7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]		7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]		7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]		7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]		7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]		7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]		7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]		7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]		7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]		7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]		7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676C0A mov eax, dword ptr fs:[00000030h]		7_2_04676C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676C0A mov eax, dword ptr fs:[00000030h]		7_2_04676C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676C0A mov eax, dword ptr fs:[00000030h]		7_2_04676C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676C0A mov eax, dword ptr fs:[00000030h]		7_2_04676C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04677016 mov eax, dword ptr fs:[00000030h]		7_2_04677016
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04677016 mov eax, dword ptr fs:[00000030h]		7_2_04677016
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04677016 mov eax, dword ptr fs:[00000030h]		7_2_04677016
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C4015 mov eax, dword ptr fs:[00000030h]		7_2_046C4015
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C4015 mov eax, dword ptr fs:[00000030h]		7_2_046C4015
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B14FB mov eax, dword ptr fs:[00000030h]		7_2_046B14FB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676CF0 mov eax, dword ptr fs:[00000030h]		7_2_04676CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676CF0 mov eax, dword ptr fs:[00000030h]		7_2_04676CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676CF0 mov eax, dword ptr fs:[00000030h]		7_2_04676CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F58EC mov eax, dword ptr fs:[00000030h]		7_2_045F58EC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0468B8D0 mov eax, dword ptr fs:[00000030h]		7_2_0468B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0468B8D0 mov ecx, dword ptr fs:[00000030h]		7_2_0468B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0468B8D0 mov eax, dword ptr fs:[00000030h]		7_2_0468B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0468B8D0 mov eax, dword ptr fs:[00000030h]		7_2_0468B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0468B8D0 mov eax, dword ptr fs:[00000030h]		7_2_0468B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0468B8D0 mov eax, dword ptr fs:[00000030h]		7_2_0468B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C8CD6 mov eax, dword ptr fs:[00000030h]		7_2_046C8CD6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046220A0 mov eax, dword ptr fs:[00000030h]		7_2_046220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046220A0 mov eax, dword ptr fs:[00000030h]		7_2_046220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046220A0 mov eax, dword ptr fs:[00000030h]		7_2_046220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046220A0 mov eax, dword ptr fs:[00000030h]		7_2_046220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046220A0 mov eax, dword ptr fs:[00000030h]		7_2_046220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046220A0 mov eax, dword ptr fs:[00000030h]		7_2_046220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046390AF mov eax, dword ptr fs:[00000030h]		7_2_046390AF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462F0BF mov ecx, dword ptr fs:[00000030h]		7_2_0462F0BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462F0BF mov eax, dword ptr fs:[00000030h]		7_2_0462F0BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462F0BF mov eax, dword ptr fs:[00000030h]		7_2_0462F0BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F9080 mov eax, dword ptr fs:[00000030h]		7_2_045F9080
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04673884 mov eax, dword ptr fs:[00000030h]		7_2_04673884
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04673884 mov eax, dword ptr fs:[00000030h]		7_2_04673884
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460849B mov eax, dword ptr fs:[00000030h]		7_2_0460849B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461C577 mov eax, dword ptr fs:[00000030h]		7_2_0461C577
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461C577 mov eax, dword ptr fs:[00000030h]		7_2_0461C577
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04633D43 mov eax, dword ptr fs:[00000030h]		7_2_04633D43
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461B944 mov eax, dword ptr fs:[00000030h]		7_2_0461B944
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461B944 mov eax, dword ptr fs:[00000030h]		7_2_0461B944
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04673540 mov eax, dword ptr fs:[00000030h]		7_2_04673540
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FB171 mov eax, dword ptr fs:[00000030h]		7_2_045FB171
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FB171 mov eax, dword ptr fs:[00000030h]		7_2_045FB171
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04617D50 mov eax, dword ptr fs:[00000030h]		7_2_04617D50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FC962 mov eax, dword ptr fs:[00000030h]		7_2_045FC962
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04614120 mov eax, dword ptr fs:[00000030h]		7_2_04614120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04614120 mov eax, dword ptr fs:[00000030h]		7_2_04614120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04614120 mov eax, dword ptr fs:[00000030h]		7_2_04614120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04614120 mov eax, dword ptr fs:[00000030h]		7_2_04614120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04614120 mov ecx, dword ptr fs:[00000030h]		7_2_04614120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0467A537 mov eax, dword ptr fs:[00000030h]		7_2_0467A537
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046BE539 mov eax, dword ptr fs:[00000030h]		7_2_046BE539
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]		7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]		7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]		7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]		7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]		7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]		7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]		7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]		7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]		7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]		7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]		7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]		7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]		7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C8D34 mov eax, dword ptr fs:[00000030h]		7_2_046C8D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462513A mov eax, dword ptr fs:[00000030h]		7_2_0462513A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462513A mov eax, dword ptr fs:[00000030h]		7_2_0462513A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04624D3B mov eax, dword ptr fs:[00000030h]		7_2_04624D3B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04624D3B mov eax, dword ptr fs:[00000030h]		7_2_04624D3B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04624D3B mov eax, dword ptr fs:[00000030h]		7_2_04624D3B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F9100 mov eax, dword ptr fs:[00000030h]		7_2_045F9100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F9100 mov eax, dword ptr fs:[00000030h]		7_2_045F9100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F9100 mov eax, dword ptr fs:[00000030h]		7_2_045F9100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FAD30 mov eax, dword ptr fs:[00000030h]		7_2_045FAD30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046841E8 mov eax, dword ptr fs:[00000030h]		7_2_046841E8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460D5E0 mov eax, dword ptr fs:[00000030h]		7_2_0460D5E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460D5E0 mov eax, dword ptr fs:[00000030h]		7_2_0460D5E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046BFDE2 mov eax, dword ptr fs:[00000030h]		7_2_046BFDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046BFDE2 mov eax, dword ptr fs:[00000030h]		7_2_046BFDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046BFDE2 mov eax, dword ptr fs:[00000030h]		7_2_046BFDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046BFDE2 mov eax, dword ptr fs:[00000030h]		7_2_046BFDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046A8DF1 mov eax, dword ptr fs:[00000030h]		7_2_046A8DF1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676DC9 mov eax, dword ptr fs:[00000030h]		7_2_04676DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676DC9 mov eax, dword ptr fs:[00000030h]		7_2_04676DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676DC9 mov eax, dword ptr fs:[00000030h]		7_2_04676DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676DC9 mov ecx, dword ptr fs:[00000030h]		7_2_04676DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676DC9 mov eax, dword ptr fs:[00000030h]		7_2_04676DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676DC9 mov eax, dword ptr fs:[00000030h]		7_2_04676DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FB1E1 mov eax, dword ptr fs:[00000030h]		7_2_045FB1E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FB1E1 mov eax, dword ptr fs:[00000030h]		7_2_045FB1E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FB1E1 mov eax, dword ptr fs:[00000030h]		7_2_045FB1E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C05AC mov eax, dword ptr fs:[00000030h]		7_2_046C05AC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C05AC mov eax, dword ptr fs:[00000030h]		7_2_046C05AC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046769A6 mov eax, dword ptr fs:[00000030h]		7_2_046769A6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046261A0 mov eax, dword ptr fs:[00000030h]		7_2_046261A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046261A0 mov eax, dword ptr fs:[00000030h]		7_2_046261A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046235A1 mov eax, dword ptr fs:[00000030h]		7_2_046235A1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F2D8A mov eax, dword ptr fs:[00000030h]		7_2_045F2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F2D8A mov eax, dword ptr fs:[00000030h]		7_2_045F2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F2D8A mov eax, dword ptr fs:[00000030h]		7_2_045F2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F2D8A mov eax, dword ptr fs:[00000030h]		7_2_045F2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F2D8A mov eax, dword ptr fs:[00000030h]		7_2_045F2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04621DB5 mov eax, dword ptr fs:[00000030h]		7_2_04621DB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04621DB5 mov eax, dword ptr fs:[00000030h]		7_2_04621DB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04621DB5 mov eax, dword ptr fs:[00000030h]		7_2_04621DB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046751BE mov eax, dword ptr fs:[00000030h]		7_2_046751BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046751BE mov eax, dword ptr fs:[00000030h]		7_2_046751BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046751BE mov eax, dword ptr fs:[00000030h]		7_2_046751BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046751BE mov eax, dword ptr fs:[00000030h]		7_2_046751BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461C182 mov eax, dword ptr fs:[00000030h]		7_2_0461C182
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04622581 mov eax, dword ptr fs:[00000030h]		7_2_04622581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04622581 mov eax, dword ptr fs:[00000030h]		7_2_04622581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04622581 mov eax, dword ptr fs:[00000030h]		7_2_04622581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04622581 mov eax, dword ptr fs:[00000030h]		7_2_04622581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462A185 mov eax, dword ptr fs:[00000030h]		7_2_0462A185
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04622990 mov eax, dword ptr fs:[00000030h]		7_2_04622990
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462FD9B mov eax, dword ptr fs:[00000030h]		7_2_0462FD9B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462FD9B mov eax, dword ptr fs:[00000030h]		7_2_0462FD9B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046AB260 mov eax, dword ptr fs:[00000030h]		7_2_046AB260
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046AB260 mov eax, dword ptr fs:[00000030h]		7_2_046AB260
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460766D mov eax, dword ptr fs:[00000030h]		7_2_0460766D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C8A62 mov eax, dword ptr fs:[00000030h]		7_2_046C8A62
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461AE73 mov eax, dword ptr fs:[00000030h]		7_2_0461AE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461AE73 mov eax, dword ptr fs:[00000030h]		7_2_0461AE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461AE73 mov eax, dword ptr fs:[00000030h]		7_2_0461AE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461AE73 mov eax, dword ptr fs:[00000030h]		7_2_0461AE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461AE73 mov eax, dword ptr fs:[00000030h]		7_2_0461AE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0463927A mov eax, dword ptr fs:[00000030h]		7_2_0463927A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F9240 mov eax, dword ptr fs:[00000030h]		7_2_045F9240
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F9240 mov eax, dword ptr fs:[00000030h]		7_2_045F9240
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F9240 mov eax, dword ptr fs:[00000030h]		7_2_045F9240
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F9240 mov eax, dword ptr fs:[00000030h]		7_2_045F9240
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04607E41 mov eax, dword ptr fs:[00000030h]		7_2_04607E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04607E41 mov eax, dword ptr fs:[00000030h]		7_2_04607E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04607E41 mov eax, dword ptr fs:[00000030h]		7_2_04607E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04607E41 mov eax, dword ptr fs:[00000030h]		7_2_04607E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04607E41 mov eax, dword ptr fs:[00000030h]		7_2_04607E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04607E41 mov eax, dword ptr fs:[00000030h]		7_2_04607E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046BAE44 mov eax, dword ptr fs:[00000030h]		7_2_046BAE44
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046BAE44 mov eax, dword ptr fs:[00000030h]		7_2_046BAE44
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046BEA55 mov eax, dword ptr fs:[00000030h]		7_2_046BEA55
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04684257 mov eax, dword ptr fs:[00000030h]		7_2_04684257
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FAA16 mov eax, dword ptr fs:[00000030h]		7_2_045FAA16
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FAA16 mov eax, dword ptr fs:[00000030h]		7_2_045FAA16
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04634A2C mov eax, dword ptr fs:[00000030h]		7_2_04634A2C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04634A2C mov eax, dword ptr fs:[00000030h]		7_2_04634A2C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F5210 mov eax, dword ptr fs:[00000030h]		7_2_045F5210
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F5210 mov ecx, dword ptr fs:[00000030h]		7_2_045F5210
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F5210 mov eax, dword ptr fs:[00000030h]		7_2_045F5210
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F5210 mov eax, dword ptr fs:[00000030h]		7_2_045F5210
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046AFE3F mov eax, dword ptr fs:[00000030h]		7_2_046AFE3F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FC600 mov eax, dword ptr fs:[00000030h]		7_2_045FC600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FC600 mov eax, dword ptr fs:[00000030h]		7_2_045FC600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FC600 mov eax, dword ptr fs:[00000030h]		7_2_045FC600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04628E00 mov eax, dword ptr fs:[00000030h]		7_2_04628E00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1608 mov eax, dword ptr fs:[00000030h]		7_2_046B1608
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04608A0A mov eax, dword ptr fs:[00000030h]		7_2_04608A0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04613A1C mov eax, dword ptr fs:[00000030h]		7_2_04613A1C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462A61C mov eax, dword ptr fs:[00000030h]		7_2_0462A61C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462A61C mov eax, dword ptr fs:[00000030h]		7_2_0462A61C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FE620 mov eax, dword ptr fs:[00000030h]		7_2_045FE620
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046216E0 mov ecx, dword ptr fs:[00000030h]		7_2_046216E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046076E2 mov eax, dword ptr fs:[00000030h]		7_2_046076E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04622AE4 mov eax, dword ptr fs:[00000030h]		7_2_04622AE4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04638EC7 mov eax, dword ptr fs:[00000030h]		7_2_04638EC7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04622ACB mov eax, dword ptr fs:[00000030h]		7_2_04622ACB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046AFEC0 mov eax, dword ptr fs:[00000030h]		7_2_046AFEC0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046236CC mov eax, dword ptr fs:[00000030h]		7_2_046236CC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C8ED6 mov eax, dword ptr fs:[00000030h]		7_2_046C8ED6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046746A7 mov eax, dword ptr fs:[00000030h]		7_2_046746A7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C0EA5 mov eax, dword ptr fs:[00000030h]		7_2_046C0EA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C0EA5 mov eax, dword ptr fs:[00000030h]		7_2_046C0EA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C0EA5 mov eax, dword ptr fs:[00000030h]		7_2_046C0EA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460AAB0 mov eax, dword ptr fs:[00000030h]		7_2_0460AAB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460AAB0 mov eax, dword ptr fs:[00000030h]		7_2_0460AAB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462FAB0 mov eax, dword ptr fs:[00000030h]		7_2_0462FAB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0468FE87 mov eax, dword ptr fs:[00000030h]		7_2_0468FE87
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462D294 mov eax, dword ptr fs:[00000030h]		7_2_0462D294
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462D294 mov eax, dword ptr fs:[00000030h]		7_2_0462D294
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F52A5 mov eax, dword ptr fs:[00000030h]		7_2_045F52A5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F52A5 mov eax, dword ptr fs:[00000030h]		7_2_045F52A5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F52A5 mov eax, dword ptr fs:[00000030h]		7_2_045F52A5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F52A5 mov eax, dword ptr fs:[00000030h]		7_2_045F52A5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F52A5 mov eax, dword ptr fs:[00000030h]		7_2_045F52A5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460FF60 mov eax, dword ptr fs:[00000030h]		7_2_0460FF60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C8F6A mov eax, dword ptr fs:[00000030h]		7_2_046C8F6A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FF358 mov eax, dword ptr fs:[00000030h]		7_2_045FF358
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04623B7A mov eax, dword ptr fs:[00000030h]		7_2_04623B7A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04623B7A mov eax, dword ptr fs:[00000030h]		7_2_04623B7A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FDB40 mov eax, dword ptr fs:[00000030h]		7_2_045FDB40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460EF40 mov eax, dword ptr fs:[00000030h]		7_2_0460EF40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C8B58 mov eax, dword ptr fs:[00000030h]		7_2_046C8B58
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FDB60 mov ecx, dword ptr fs:[00000030h]		7_2_045FDB60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462E730 mov eax, dword ptr fs:[00000030h]		7_2_0462E730
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C070D mov eax, dword ptr fs:[00000030h]		7_2_046C070D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C070D mov eax, dword ptr fs:[00000030h]		7_2_046C070D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462A70E mov eax, dword ptr fs:[00000030h]		7_2_0462A70E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462A70E mov eax, dword ptr fs:[00000030h]		7_2_0462A70E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B131B mov eax, dword ptr fs:[00000030h]		7_2_046B131B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F4F2E mov eax, dword ptr fs:[00000030h]		7_2_045F4F2E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F4F2E mov eax, dword ptr fs:[00000030h]		7_2_045F4F2E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461F716 mov eax, dword ptr fs:[00000030h]		7_2_0461F716
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0468FF10 mov eax, dword ptr fs:[00000030h]		7_2_0468FF10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0468FF10 mov eax, dword ptr fs:[00000030h]		7_2_0468FF10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046203E2 mov eax, dword ptr fs:[00000030h]		7_2_046203E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046203E2 mov eax, dword ptr fs:[00000030h]		7_2_046203E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046203E2 mov eax, dword ptr fs:[00000030h]		7_2_046203E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046203E2 mov eax, dword ptr fs:[00000030h]		7_2_046203E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046203E2 mov eax, dword ptr fs:[00000030h]		7_2_046203E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046203E2 mov eax, dword ptr fs:[00000030h]		7_2_046203E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461DBE9 mov eax, dword ptr fs:[00000030h]		7_2_0461DBE9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046337F5 mov eax, dword ptr fs:[00000030h]		7_2_046337F5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046753CA mov eax, dword ptr fs:[00000030h]		7_2_046753CA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046753CA mov eax, dword ptr fs:[00000030h]		7_2_046753CA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C5BA5 mov eax, dword ptr fs:[00000030h]		7_2_046C5BA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04624BAD mov eax, dword ptr fs:[00000030h]		7_2_04624BAD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04624BAD mov eax, dword ptr fs:[00000030h]		7_2_04624BAD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04624BAD mov eax, dword ptr fs:[00000030h]		7_2_04624BAD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B138A mov eax, dword ptr fs:[00000030h]		7_2_046B138A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046AD380 mov ecx, dword ptr fs:[00000030h]		7_2_046AD380
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04601B8F mov eax, dword ptr fs:[00000030h]		7_2_04601B8F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04601B8F mov eax, dword ptr fs:[00000030h]		7_2_04601B8F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462B390 mov eax, dword ptr fs:[00000030h]		7_2_0462B390
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04677794 mov eax, dword ptr fs:[00000030h]		7_2_04677794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04677794 mov eax, dword ptr fs:[00000030h]		7_2_04677794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04677794 mov eax, dword ptr fs:[00000030h]		7_2_04677794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04608794 mov eax, dword ptr fs:[00000030h]		7_2_04608794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04622397 mov eax, dword ptr fs:[00000030h]		7_2_04622397

Enables debug privileges

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process token adjusted: Debug			Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.kompramania.com
Source: C:\Windows\explorer.exe	Domain query: www.findinkjams.com
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.212 80			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

Memory written: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Thread register set: target process: 3292			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Thread register set: target process: 3292			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: A30000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process created: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000004.00000002.505989523.0000000001400000.00000002.00000001.sdmp, cmstp.exe, 00000007.00000002.505513553.0000000002E80000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: explorer.exe, 00000004.00000000.265786976.0000000005F40000.00000004.00000001.sdmp, cmstp.exe, 00000007.00000002.505513553.0000000002E80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000002.505989523.0000000001400000.00000002.00000001.sdmp, cmstp.exe, 00000007.00000002.505513553.0000000002E80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000002.505989523.0000000001400000.00000002.00000001.sdmp, cmstp.exe, 00000007.00000002.505513553.0000000002E80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000002.503355168.0000000000EB8000.00000004.00000020.sdmp	Binary or memory string: ProgmanX
Source: explorer.exe, 00000004.00000000.272543308.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Queries volume information: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.w73FtMA4ZTl9NFm.exe.46875f8.3.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.w73FtMA4ZTl9NFm.exe.46875f8.3.raw.unpack, type: UNPACKEDPE