Play interactive tour

Edit tour

Analysis Report TT.exe

Overview

General Information

Sample Name:	TT.exe
Analysis ID:	403976
MD5:	27c863c479b0542b3bad21a67ad1406d
SHA1:	791e1d123c275ac4451c5550635c0a67eb4398a6
SHA256:	2a7a9c6d4505766ddf0a6c7dde9c2ae52369408fbe5ce93d0d3d76bf992b28dd
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: System File Execution Location Anomaly

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

TT.exe (PID: 6588 cmdline: 'C:\Users\user\Desktop\TT.exe' MD5: 27C863C479B0542B3BAD21A67AD1406D)

TT.exe (PID: 6624 cmdline: 'C:\Users\user\Desktop\TT.exe' MD5: 27C863C479B0542B3BAD21A67AD1406D)

explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

msdt.exe (PID: 7052 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)

cmd.exe (PID: 6640 cmdline: /c del 'C:\Users\user\Desktop\TT.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.knighttechinca.com/dxe/"], "decoy": ["sardarfarm.com", "959tremont.com", "privat-livecam.net", "ansel-homebakery.com", "joysupermarket.com", "peninsulamatchmakers.net", "northsytyle.com", "radioconexaoubermusic.com", "relocatingrealtor.com", "desyrnan.com", "onlinehoortoestel.online", "enpointe.online", "rvvikings.com", "paulpoirier.com", "shitarpa.net", "kerneis.net", "rokitreach.com", "essentiallygaia.com", "prestiged.net", "fuerzaagavera.com", "soukid.com", "moderndatingcoach.com", "mentalfreedom.guru", "bullishsoftware.com", "sectorulb.com", "outletyana.com", "fptplaybox.website", "artinmemory.com", "buyruon.com", "ljd.xyz", "mondaysmatters.com", "spiritsoundart.net", "ixiangzu.com", "lacompagniadelfardello.com", "bnctly.com", "sarasvati-yoga.com", "0055game.com", "lagrangewildliferemoval.com", "umlausa.com", "chaytel.com", "kkkc5.com", "union-green.com", "philreid4cc.com", "theanimehat.com", "redlightlegal.com", "myaustraliarewards.com", "barkinlot.com", "mujahidservice.online", "nugeneraonline.com", "sopplugin.com", "makemyroom.design", "ferienschweden.com", "fps2020dkasphotoop.com", "stylezbykay.com", "royalpropertiesgurugram.com", "birzulova.com", "cosmicmtn.com", "kissanime.press", "poweringprogress.today", "omsamedic.com", "drunkpoetsociety.com", "hostbison.com", "asapdecor.com", "houseofsisson.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.597321036.0000000002F60000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.597321036.0000000002F60000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.597321036.0000000002F60000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.392835395.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.392835395.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.392835395.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.393512483.00000000009F0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.393512483.00000000009F0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.393512483.00000000009F0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.595686544.00000000007C0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.595686544.00000000007C0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.595686544.00000000007C0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000001.335739935.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000001.335739935.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000001.335739935.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.344692024.0000000003030000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.344692024.0000000003030000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.344692024.0000000003030000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.597417500.0000000002F90000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.597417500.0000000002F90000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.597417500.0000000002F90000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.392976261.00000000005E0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.392976261.00000000005E0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.392976261.00000000005E0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.TT.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.TT.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.TT.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
1.2.TT.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.TT.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.TT.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
0.2.TT.exe.3030000.4.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.TT.exe.3030000.4.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.TT.exe.3030000.4.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
1.1.TT.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.1.TT.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.1.TT.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
1.1.TT.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.1.TT.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.1.TT.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
0.2.TT.exe.3030000.4.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.TT.exe.3030000.4.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.TT.exe.3030000.4.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries

Sigma Overview

System Summary:

Sigma detected: System File Execution Location Anomaly

Show sources

Source: Process started

Author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT.exe' , ParentImage: C:\Users\user\Desktop\TT.exe, ParentProcessId: 6624, ProcessCommandLine: , ProcessId: 3440

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 7052

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000007.00000002.597321036.0000000002F60000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.knighttechinca.com/dxe/"], "decoy": ["sardarfarm.com", "959tremont.com", "privat-livecam.net", "ansel-homebakery.com", "joysupermarket.com", "peninsulamatchmakers.net", "northsytyle.com", "radioconexaoubermusic.com", "relocatingrealtor.com", "desyrnan.com", "onlinehoortoestel.online", "enpointe.online", "rvvikings.com", "paulpoirier.com", "shitarpa.net", "kerneis.net", "rokitreach.com", "essentiallygaia.com", "prestiged.net", "fuerzaagavera.com", "soukid.com", "moderndatingcoach.com", "mentalfreedom.guru", "bullishsoftware.com", "sectorulb.com", "outletyana.com", "fptplaybox.website", "artinmemory.com", "buyruon.com", "ljd.xyz", "mondaysmatters.com", "spiritsoundart.net", "ixiangzu.com", "lacompagniadelfardello.com", "bnctly.com", "sarasvati-yoga.com", "0055game.com", "lagrangewildliferemoval.com", "umlausa.com", "chaytel.com", "kkkc5.com", "union-green.com", "philreid4cc.com", "theanimehat.com", "redlightlegal.com", "myaustraliarewards.com", "barkinlot.com", "mujahidservice.online", "nugeneraonline.com", "sopplugin.com", "makemyroom.design", "ferienschweden.com", "fps2020dkasphotoop.com", "stylezbykay.com", "royalpropertiesgurugram.com", "birzulova.com", "cosmicmtn.com", "kissanime.press", "poweringprogress.today", "omsamedic.com", "drunkpoetsociety.com", "hostbison.com", "asapdecor.com", "houseofsisson.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: TT.exe	Virustotal: Detection: 25%			Perma Link
Source: TT.exe	ReversingLabs: Detection: 40%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.597321036.0000000002F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.392835395.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.393512483.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.595686544.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.335739935.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.344692024.0000000003030000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.597417500.0000000002F90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.392976261.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.TT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TT.exe.3030000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.TT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.TT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TT.exe.3030000.4.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: TT.exe

Joe Sandbox ML: detected

Source: 1.2.TT.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.1.TT.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.TT.exe.3030000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: TT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: TT.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.366025907.000000000DC20000.00000002.00000001.sdmp
Source:	Binary string: msdt.pdbGCTL source: TT.exe, 00000001.00000002.396335168.0000000002810000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: TT.exe, 00000000.00000003.331979334.0000000003060000.00000004.00000001.sdmp, TT.exe, 00000001.00000002.393874457.0000000000B4F000.00000040.00000001.sdmp, msdt.exe, 00000007.00000002.598843723.0000000004DFF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: TT.exe, msdt.exe
Source:	Binary string: msdt.pdb source: TT.exe, 00000001.00000002.396335168.0000000002810000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.366025907.000000000DC20000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\TT.exe	Code function: 0_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\TT.exe	Code function: 0_2_0040659C FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\TT.exe	Code function: 0_2_004027A1 FindFirstFileA,

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.knighttechinca.com/dxe/

Source: global traffic	HTTP traffic detected: GET /dxe/?oZN=7nbLudZHS&mdslXXV=s4725d3Oabb4GJPvvzs1NGtrQqdCSFbT14B5hiC+hEbCkkM6v8NMU0M9YHV7hr/JdwNsVvK8Ug== HTTP/1.1Host: www.philreid4cc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dxe/?mdslXXV=c1qXo+D3OeWS7aQwzsMJrh0J2W+ZcnXSIybZATOUAxrA4uZvd+OeJvPZ6sfOQ4L/XOcBlc02WQ==&oZN=7nbLudZHS HTTP/1.1Host: www.sectorulb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dxe/?oZN=7nbLudZHS&mdslXXV=pSmvUx3Cd9o2ehLRUYmTuUG+rz67XAZoYuLBzxOhEanl5TCXMyweO2X8MqC68oVFQcjckZtQvA== HTTP/1.1Host: www.lagrangewildliferemoval.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 192.0.78.24 192.0.78.24

Source: Joe Sandbox View	ASN Name: AUTOMATTICUS AUTOMATTICUS
Source: Joe Sandbox View	ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: Joe Sandbox View	ASN Name: EGIHOSTINGUS EGIHOSTINGUS

Source: global traffic	HTTP traffic detected: GET /dxe/?oZN=7nbLudZHS&mdslXXV=s4725d3Oabb4GJPvvzs1NGtrQqdCSFbT14B5hiC+hEbCkkM6v8NMU0M9YHV7hr/JdwNsVvK8Ug== HTTP/1.1Host: www.philreid4cc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dxe/?mdslXXV=c1qXo+D3OeWS7aQwzsMJrh0J2W+ZcnXSIybZATOUAxrA4uZvd+OeJvPZ6sfOQ4L/XOcBlc02WQ==&oZN=7nbLudZHS HTTP/1.1Host: www.sectorulb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dxe/?oZN=7nbLudZHS&mdslXXV=pSmvUx3Cd9o2ehLRUYmTuUG+rz67XAZoYuLBzxOhEanl5TCXMyweO2X8MqC68oVFQcjckZtQvA== HTTP/1.1Host: www.lagrangewildliferemoval.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.philreid4cc.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 May 2021 13:43:34 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: TT.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: TT.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000002.596476580.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: C:\Users\user\Desktop\TT.exe

Code function: 0_2_0040548D GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.597321036.0000000002F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.392835395.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.393512483.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.595686544.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.335739935.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.344692024.0000000003030000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.597417500.0000000002F90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.392976261.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.TT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TT.exe.3030000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.TT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.TT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TT.exe.3030000.4.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000007.00000002.597321036.0000000002F60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.597321036.0000000002F60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.392835395.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.392835395.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.393512483.00000000009F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.393512483.00000000009F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.595686544.00000000007C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.595686544.00000000007C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.335739935.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.335739935.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.344692024.0000000003030000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.344692024.0000000003030000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.597417500.0000000002F90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.597417500.0000000002F90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.392976261.00000000005E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.392976261.00000000005E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.TT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.TT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.TT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.TT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.TT.exe.3030000.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.TT.exe.3030000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.TT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.TT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.TT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.TT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.TT.exe.3030000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.TT.exe.3030000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00419D60 NtCreateFile,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00419E10 NtReadFile,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00419E90 NtClose,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00419F40 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00419D5A NtCreateFile,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00419E0A NtReadFile,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00419E8A NtClose,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00419F3A NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A998F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A99860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A99840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A999A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A99910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A99A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A99A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A99A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A995D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A99540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A996E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A99660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A997A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A99780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A99710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A998A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A99820 NtEnumerateKey,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A9B040 NtSuspendThread,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A999D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A99950 NtQueueApcThread,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A99A80 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A99A10 NtQuerySection,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A9A3B0 NtGetContextThread,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A99B00 NtSetValueKey,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A995F0 NtQueryInformationFile,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A99520 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A9AD30 NtSetContextThread,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A99560 NtWriteFile,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A996D0 NtCreateKey,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A99610 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A99670 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A99650 NtQueryValueKey,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A99FE0 NtCreateMutant,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A99730 NtQueryVirtualMemory,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A9A710 NtOpenProcessToken,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A99760 NtOpenProcess,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A99770 NtSetInformationFile,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A9A770 NtOpenThread,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_1_00419D60 NtCreateFile,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_1_00419E10 NtReadFile,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_1_00419E90 NtClose,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_1_00419F40 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_1_00419D5A NtCreateFile,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D49840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D49860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D495D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D499A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D49540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D49910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D496D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D496E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D49650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D49A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D49660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D49FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D49780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D49710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D498F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D498A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D4B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D49820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D499D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D495F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D49950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D49560 NtWriteFile,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D4AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D49520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D49A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D49670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D49610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D49A10 NtQuerySection,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D49A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D49A20 NtResumeThread,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D4A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D497A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D49770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D4A770 NtOpenThread,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D49760 NtOpenProcess,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D4A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D49B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D49730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_007D9D60 NtCreateFile,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_007D9E10 NtReadFile,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_007D9E90 NtClose,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_007D9F40 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_007D9D5A NtCreateFile,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_007D9E0A NtReadFile,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_007D9E8A NtClose,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_007D9F3A NtAllocateVirtualMemory,

Source: C:\Users\user\Desktop\TT.exe

Code function: 0_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\TT.exe	Code function: 0_2_00406925
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00401030
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_0041E1FC
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_0041D260
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_0041DA2A
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_0041BDC4
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00402D90
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00409E40
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00409E3C
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_0041D6DF
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_0041DFA3
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00402FB0
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A820A0
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B220A8
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A6B090
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B228EC
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B11002
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A74120
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A5F900
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B222AE
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A8EBB0
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B1DBD2
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B22B28
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A6841F
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B1D466
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A82581
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A6D5E0
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B225DD
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A50D20
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B22D07
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B21D55
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B22EF7
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A76E30
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B21FF1
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_1_00401030
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_1_0041E1FC
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_1_0041D260
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_1_0041DA2A
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_1_0041BDC4
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_1_00402D90
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_1_00409E40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DD28EC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D1B090
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D320A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DD20A8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DCD466
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D1841F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DC1002
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DD25DD
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D1D5E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D32581
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DD1D55
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D0F900
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DD2D07
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D00D20
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D24120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DD2EF7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DD22AE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D26E30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DCDBD2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DD1FF1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D3EBB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DD2B28
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_007DE1FC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_007DBDC4
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_007C2D90
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_007C9E40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_007C9E3C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_007C2FB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_007DDFA3

Source: C:\Users\user\Desktop\TT.exe	Code function: String function: 00A5B150 appears 35 times
Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 04D0B150 appears 35 times

Source: TT.exe, 00000000.00000003.334832337.000000000333F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs TT.exe
Source: TT.exe, 00000001.00000002.396335168.0000000002810000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemsdt.exej% vs TT.exe
Source: TT.exe, 00000001.00000002.393874457.0000000000B4F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs TT.exe

Source: TT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000007.00000002.597321036.0000000002F60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.597321036.0000000002F60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.392835395.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.392835395.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.393512483.00000000009F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.393512483.00000000009F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.595686544.00000000007C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.595686544.00000000007C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.335739935.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.335739935.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.344692024.0000000003030000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.344692024.0000000003030000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.597417500.0000000002F90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.597417500.0000000002F90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.392976261.00000000005E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.392976261.00000000005E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.TT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.TT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.TT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.TT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.TT.exe.3030000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.TT.exe.3030000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.TT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.TT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.TT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.TT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.TT.exe.3030000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.TT.exe.3030000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/4@4/3

Source: C:\Users\user\Desktop\TT.exe

Code function: 0_2_0040473E GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: C:\Users\user\Desktop\TT.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6312:120:WilError_01

Source: C:\Users\user\Desktop\TT.exe

File created: C:\Users\user\AppData\Local\Temp\nsj2C11.tmp

Jump to behavior

Source: TT.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\TT.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\TT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: TT.exe	Virustotal: Detection: 25%
Source: TT.exe	ReversingLabs: Detection: 40%

Source: C:\Users\user\Desktop\TT.exe

File read: C:\Users\user\Desktop\TT.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TT.exe 'C:\Users\user\Desktop\TT.exe'
Source: C:\Users\user\Desktop\TT.exe	Process created: C:\Users\user\Desktop\TT.exe 'C:\Users\user\Desktop\TT.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\TT.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TT.exe	Process created: C:\Users\user\Desktop\TT.exe 'C:\Users\user\Desktop\TT.exe'
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\TT.exe'

Source: C:\Users\user\Desktop\TT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: TT.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.366025907.000000000DC20000.00000002.00000001.sdmp
Source:	Binary string: msdt.pdbGCTL source: TT.exe, 00000001.00000002.396335168.0000000002810000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: TT.exe, 00000000.00000003.331979334.0000000003060000.00000004.00000001.sdmp, TT.exe, 00000001.00000002.393874457.0000000000B4F000.00000040.00000001.sdmp, msdt.exe, 00000007.00000002.598843723.0000000004DFF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: TT.exe, msdt.exe
Source:	Binary string: msdt.pdb source: TT.exe, 00000001.00000002.396335168.0000000002810000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.366025907.000000000DC20000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\TT.exe

Unpacked PE file: 1.2.TT.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;

Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_0041E560 push ss; ret
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_0041CEB5 push eax; ret
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_0041CF6C push eax; ret
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_0041CF02 push eax; ret
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_0041CF0B push eax; ret
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AAD0D1 push ecx; ret
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_1_0041E560 push ss; ret
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D5D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_007DE560 push ss; ret
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_007DCEB5 push eax; ret
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_007DCF6C push eax; ret
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_007DCF0B push eax; ret
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_007DCF02 push eax; ret

Source: C:\Users\user\Desktop\TT.exe

File created: C:\Users\user\AppData\Local\Temp\nse2C42.tmp\myx92o78208f0o.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xEE

Source: C:\Users\user\Desktop\TT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\TT.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TT.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 00000000007C98E4 second address: 00000000007C98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 00000000007C9B5E second address: 00000000007C9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\TT.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\TT.exe

Code function: 1_2_00409A90 rdtsc

Source: C:\Windows\explorer.exe TID: 6768	Thread sleep count: 31 > 30
Source: C:\Windows\explorer.exe TID: 6768	Thread sleep time: -62000s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\TT.exe	Code function: 0_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\TT.exe	Code function: 0_2_0040659C FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\TT.exe	Code function: 0_2_004027A1 FindFirstFileA,

Source: explorer.exe, 00000004.00000000.359286524.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.359206330.00000000083E9000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000004.00000000.360079783.0000000008684000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.359026970.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.355462929.00000000063F6000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.354002009.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000004.00000000.359206330.00000000083E9000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000004.00000000.355462929.00000000063F6000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.359026970.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000004.00000000.354002009.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000000.354002009.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000004.00000000.359026970.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000004.00000000.359286524.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000004.00000000.354002009.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: explorer.exe, 00000004.00000002.596476580.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Source: C:\Users\user\Desktop\TT.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\TT.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\msdt.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\TT.exe

Code function: 1_2_00409A90 rdtsc

Source: C:\Users\user\Desktop\TT.exe

Code function: 1_2_0040ACD0 LdrLoadDll,

Source: C:\Users\user\Desktop\TT.exe	Code function: 0_2_10001000 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 0_2_030216D8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 0_2_030218F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A990AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A8F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A8F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A8F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A59080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A558EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AEB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A8002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A8002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A8002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A8002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A8002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A6B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A6B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A6B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A6B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B24015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B24015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B12073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B21074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A70050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A70050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A861A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A861A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A7C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A8A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A82990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A5B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A5B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A5B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AE41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A74120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A74120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A74120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A74120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A74120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A8513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A8513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A59100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A59100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A59100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A5C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A5B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A5B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A7B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A7B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A6AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A6AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A8FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A8D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A8D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A82AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A82ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A94A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A94A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A68A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A5AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A5AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A55210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A55210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A55210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A55210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A73A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B0B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B0B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B28A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A9927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B1EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A59240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A59240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A59240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A59240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AE4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A84BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A84BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A84BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B25BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A61B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A61B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B0D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A8B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B1138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A82397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A7DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B1131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A5DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A83B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A83B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A5DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B28B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A5F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A6849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B114FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B28CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A8BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B2740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B2740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B2740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A7746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A8A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AEC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AEC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A835A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A81DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A81DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A81DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B205AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B205AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A82581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A82581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A82581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A82581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A52D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A52D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A52D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A52D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A52D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A8FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A8FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B08DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A6D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A6D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B1FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B1FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B1FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B1FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B28D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B1E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A84D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A84D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A84D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A5AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00ADA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A7C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A7C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A93D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A77D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B20EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B20EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B20EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AEFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A676E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A816E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B28ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A836CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A98EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B0FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A5E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B0FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A5C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A5C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A5C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A88E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A8A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A8A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B11608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A6766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A7AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A7AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A7AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A7AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A7AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A67E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A67E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A67E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A67E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A67E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A67E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B1AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B1AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A68794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AD7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A937F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A54F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A54F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A8E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A8A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A8A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A7F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AEFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00AEFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B2070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B2070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A6FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00B28F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\TT.exe	Code function: 1_2_00A6EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D9B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D9B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D9B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D9B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D9B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D9B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DD8CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DC14FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D86CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D86CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D86CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D058EC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D1849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D09080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D83884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D83884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D3F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D3F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D3F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D320A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D320A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D320A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D320A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D320A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D320A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D490AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D20050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D20050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D9C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D9C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D3A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DD1074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DC2073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D2746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DD4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DD4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D87016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D87016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D87016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DD740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DD740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DD740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D86C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D86C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D86C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D86C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DC1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DC1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DC1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DC1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DC1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DC1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DC1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DC1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DC1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DC1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DC1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DC1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DC1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DC1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D1B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D1B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D1B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D1B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D3002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D3002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D3002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D3002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D3002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D3BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D86DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D86DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D86DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D86DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D86DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D86DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DB8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D0B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D0B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D0B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D941E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D1D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D1D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DCFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DCFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DCFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DCFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D32990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D3FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D3FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D2C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D32581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D32581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D32581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D32581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D3A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D02D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D02D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D02D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D02D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D02D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D31DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D31DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D31DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D851BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D851BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D851BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D851BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DD05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DD05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D335A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D361A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D361A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D869A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D27D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D2B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D2B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D43D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D83540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D0B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D0B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D2C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D2C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D0C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D09100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D09100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D09100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D0AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D13D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D13D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D13D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D13D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D13D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D13D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D13D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D13D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D13D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D13D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D13D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D13D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D13D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DCE539 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D34D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D34D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D34D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DD8D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D3513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D3513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D8A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D24120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D24120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D24120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D24120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D24120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DD8ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D48EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D32ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DBFEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D336CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D316E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D176E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D32AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D3D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D3D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D9FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D1AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D1AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D3FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D052A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D052A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D052A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D052A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D052A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DD0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DD0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DD0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D846A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DCEA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D94257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D09240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D09240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D09240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D09240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D17E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D17E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D17E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D17E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D17E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D17E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DCAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DCAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D2AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D2AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D2AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D2AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D2AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D4927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DBB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DBB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D1766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DD8A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D05210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D05210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D05210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D05210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D0AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D0AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D23A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D3A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D3A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D0C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D0C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D0C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D38E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DC1608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D18A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04DBFE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D0E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D44A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D44A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D853CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D853CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D437F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D303E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D303E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D303E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D303E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D303E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D303E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D2DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D3B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D32397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 7_2_04D18794 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\TT.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\TT.exe

Code function: 0_2_10001464 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.philreid4cc.com
Source: C:\Windows\explorer.exe	Network Connect: 192.0.78.24 80
Source: C:\Windows\explorer.exe	Domain query: www.lagrangewildliferemoval.com
Source: C:\Windows\explorer.exe	Network Connect: 107.180.41.236 80
Source: C:\Windows\explorer.exe	Domain query: www.sectorulb.com
Source: C:\Windows\explorer.exe	Network Connect: 107.165.149.13 80

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\TT.exe	Section loaded: unknown target: C:\Users\user\Desktop\TT.exe protection: execute and read and write
Source: C:\Users\user\Desktop\TT.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\TT.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\TT.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
Source: C:\Users\user\Desktop\TT.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\TT.exe	Thread register set: target process: 3440
Source: C:\Users\user\Desktop\TT.exe	Thread register set: target process: 3440
Source: C:\Windows\SysWOW64\msdt.exe	Thread register set: target process: 3440

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\TT.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\TT.exe

Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: B20000

Source: C:\Users\user\Desktop\TT.exe	Process created: C:\Users\user\Desktop\TT.exe 'C:\Users\user\Desktop\TT.exe'
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\TT.exe'

Source: explorer.exe, 00000004.00000000.340378838.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000007.00000002.597591476.0000000003390000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000002.596305048.00000000008B8000.00000004.00000020.sdmp, msdt.exe, 00000007.00000002.597591476.0000000003390000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.340378838.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000007.00000002.597591476.0000000003390000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 00000004.00000000.340378838.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000007.00000002.597591476.0000000003390000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\TT.exe

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.597321036.0000000002F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.392835395.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.393512483.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.595686544.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.335739935.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.344692024.0000000003030000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.597417500.0000000002F90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.392976261.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.TT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TT.exe.3030000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.TT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.TT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TT.exe.3030000.4.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.597321036.0000000002F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.392835395.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.393512483.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.595686544.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.335739935.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.344692024.0000000003030000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.597417500.0000000002F90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.392976261.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.TT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TT.exe.3030000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.TT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.TT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TT.exe.3030000.4.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Access Token Manipulation1	Rootkit1	Credential API Hooking1	Security Software Discovery131	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection512	Virtualization/Sandbox Evasion3	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Access Token Manipulation1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection512	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	System Information Discovery13	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing11	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
TT.exe	25%	Virustotal		Browse
TT.exe	40%	ReversingLabs	Win32.Trojan.Predator
TT.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nse2C42.tmp\myx92o78208f0o.dll	9%	ReversingLabs	Win32.Trojan.Jaik

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.TT.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.0.TT.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
0.0.TT.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
7.2.msdt.exe.520f834.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.1.TT.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.2.TT.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
7.2.msdt.exe.2d06a10.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.TT.exe.3030000.4.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
philreid4cc.com	1%	Virustotal		Browse
lagrangewildliferemoval.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.lagrangewildliferemoval.com/dxe/?oZN=7nbLudZHS&mdslXXV=pSmvUx3Cd9o2ehLRUYmTuUG+rz67XAZoYuLBzxOhEanl5TCXMyweO2X8MqC68oVFQcjckZtQvA==	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.sectorulb.com/dxe/?mdslXXV=c1qXo+D3OeWS7aQwzsMJrh0J2W+ZcnXSIybZATOUAxrA4uZvd+OeJvPZ6sfOQ4L/XOcBlc02WQ==&oZN=7nbLudZHS	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.philreid4cc.com/dxe/?oZN=7nbLudZHS&mdslXXV=s4725d3Oabb4GJPvvzs1NGtrQqdCSFbT14B5hiC+hEbCkkM6v8NMU0M9YHV7hr/JdwNsVvK8Ug==	0%	Avira URL Cloud	safe
www.knighttechinca.com/dxe/	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
philreid4cc.com	192.0.78.24	true	true	1%, Virustotal, Browse	unknown
umlausa.com	34.98.99.30	true	true		unknown
www.sectorulb.com	107.165.149.13	true	true		unknown
lagrangewildliferemoval.com	107.180.41.236	true	true	0%, Virustotal, Browse	unknown
www.lagrangewildliferemoval.com	unknown	unknown	true		unknown
www.umlausa.com	unknown	unknown	true		unknown
www.philreid4cc.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.lagrangewildliferemoval.com/dxe/?oZN=7nbLudZHS&mdslXXV=pSmvUx3Cd9o2ehLRUYmTuUG+rz67XAZoYuLBzxOhEanl5TCXMyweO2X8MqC68oVFQcjckZtQvA==	true	Avira URL Cloud: safe	unknown
http://www.sectorulb.com/dxe/?mdslXXV=c1qXo+D3OeWS7aQwzsMJrh0J2W+ZcnXSIybZATOUAxrA4uZvd+OeJvPZ6sfOQ4L/XOcBlc02WQ==&oZN=7nbLudZHS	true	Avira URL Cloud: safe	unknown
http://www.philreid4cc.com/dxe/?oZN=7nbLudZHS&mdslXXV=s4725d3Oabb4GJPvvzs1NGtrQqdCSFbT14B5hiC+hEbCkkM6v8NMU0M9YHV7hr/JdwNsVvK8Ug==	true	Avira URL Cloud: safe	unknown
www.knighttechinca.com/dxe/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000004.00000002.596476580.000000000095C000.00000004.00000020.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	TT.exe	false		high
http://www.goodfont.co.kr	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false		high
http://nsis.sf.net/NSIS_Error	TT.exe	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
192.0.78.24	philreid4cc.com	United States	2635	AUTOMATTICUS	true
107.180.41.236	lagrangewildliferemoval.com	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
107.165.149.13	www.sectorulb.com	United States	18779	EGIHOSTINGUS	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	403976
Start date:	04.05.2021
Start time:	15:40:54
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 7s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	TT.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/4@4/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 22.4% (good quality ratio 20.3%) Quality average: 74.3% Quality standard deviation: 30.9%
HCA Information:	Successful, ratio: 90% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
192.0.78.24	08917506_by_Libranalysis.exe	Get hash	malicious	Browse	www.sherylabrahamphotography.com/o86d/?W6jDfD=VzK2bv7yp5iwEBdNZQjCdXXbrLCot30MtbV4orBq8x4MF4HvmT9bEqgnu31MbrCbNdKakV5eJA==&Yn=ybdHh8KP02GTtb
	DVO100024000.doc	Get hash	malicious	Browse	www.mariacolom.net/f0sg/?tDK=AymEOqKSVycllsucagJ3uquKzbaTRejMwBNJTz2lYWa4o9lkvFa+mpTu9QIvYFHSKZDd6A==&LPYP_=Sfgd
	lFfDzzZYTl.exe	Get hash	malicious	Browse	www.micheldrake.com/p2io/?_RAd4V=YL0THJvhl8d&iBIXf4M=d2NgnqRSaE399kDepSeXKrGILlrAeXd0mpr9jEILXnCNsbPLuX7uZtRN+a1hjfUwipOV1CQA6A==
	win32.exe	Get hash	malicious	Browse	www.jjwheelerphotography.com/hx3a/?ETPPOfO=HQ9W41OR6IY4WMlgz7ohhqskOlb/u2Nwhc+7no5Vp+hf9TuBBHO+5iRY2jTFM+WSMdE+&UR-hC=00Gdc830MjwppviP
	regasm.exe	Get hash	malicious	Browse	www.didsss.com/nqs9/?nbZdq4=dVfJ12aU7P1vtr0V7f4ZSuio1H1BmGrXzc61GzQ1cc/EKZrMEgEOFtlW/dhEQBMkQYhn&DxoTF=VBZHmLVX_dHX06
	oEWV80rj6fgwF5i.exe	Get hash	malicious	Browse	www.maseralda.com/ni6e/?nPntM8=dXbHup58-RGl&E6A=y8SBlkjU4W39Ly1T/KIONjFVZVrG132kczY/fXhHYMs1ha7B0OtwBDERUcslfp+UVYhd
	HG546092227865431209.exe	Get hash	malicious	Browse	www.richysculturalstuff.com/ct6a/?j2JHaJc=hKmAkhvb6mkv9zaFtr8IBA3Y8OUBY5g53ObP4/ibO16ZiyPs+HJ8s4t51tF1eI8O7LER&KthHT=LXaP
	invoice.exe	Get hash	malicious	Browse	www.legacyadmin.support/e3rs/?w0G=0yUiwx1wLvxUfzb5kCZXOl2J+dvoSMZhdpoUDtYYFWxv9npQwlOrxt3zkZH4aLHtWZT3&uFQl=XP7HMT_8
	o2KKHvtb3c.exe	Get hash	malicious	Browse	www.translations.tools/nsag/?GTgP=1Yx90tXdezyuV8sDZLNplGUVoptWSuBjE4/oeiBfqPIPAmaYyomwKJS6i2A6lUxe1bSuh3UNpg==&5jr=UlSpj
	PO#41000055885.exe	Get hash	malicious	Browse	www.billpollakwritingandediting.com/s2oc/?GzrL=WBjT_rUpa&8pDp00Hp=iEnqtY0VDkZROpxH3svCV1z4vh0RNvDxHQ/1OCo0cqhO00C//BGB8bIyEE+Kz7q/Bf/i
	swift_76567643.exe	Get hash	malicious	Browse	www.robztech.com/m8es/?CVJ=t8DGnXKWWWU8raNxivnbQjw3Z37WBEdYjZZIAloy7atrUUbC+CA3ztV2uFkjRRfw03U+&oX9=Txo8ntB0WBsp
	PDF NEW P.OJerhWEMSj4RnE4Z.exe	Get hash	malicious	Browse	www.ichaugames.com/edbs/?LZ9p=YgPC843WNdMasmCWk8z83XX/O5HllNmlhNkRKlPYh5DfpYamg+RMipCIUjeKta/lrbmo&MnZ=GXLpz
	Swift.exe	Get hash	malicious	Browse	www.pranatarot.com/edbs/?M6AlI=DP8A5Ne5M9xGBq1tjWprXkQLMPcjoeoXNStDN+ay4cQr/vSv+J0F/9nmPhuRTLw7c/6NIAJFgw==&T8RH=9rqdJ4wpALk
	TNUiVpymgH.exe	Get hash	malicious	Browse	www.longdoggy.net/vu9b/?yhRdNvKX=NeJ6fTW54FiVLomARoXtZYU3dCbrOkLIBtzKWj45EW4cSvDsCI/Ad3ky2rZHNP/pygFH&Sj=CTFH
	Swift Advise.exe	Get hash	malicious	Browse	www.billpollakwritingandediting.com/s2oc/?Hlnxrrv=iEnqtY0VDkZROpxH3svCV1z4vh0RNvDxHQ/1OCo0cqhO00C//BGB8bIyEE+gsLa/Fd3i&N48xBX=5jrXZXrHL6gpNHc
	vfe1GoeC5F.exe	Get hash	malicious	Browse	www.emmajanetracy.com/iu4d/?wTPHg6=ZliXVxFXgH&F8Sl=JOOHHYcCVAiumnatH9FSz+DjDh0K1BlAW5euFZ4O/VfuOjdNwQJji3cnAkLnRBXIBtcN
	New Purchase Order GH934782GHY489330.exe	Get hash	malicious	Browse	www.texasgirlcooks.com/n8ih/?FRd4X8=LwVPcdZXggMsOEqjpBC1UWbJi/W0BJRKlKtnOmrCDSW2VJzQcSCcpwg+xjq2DIU/ljr6&v8yH=ZPGXSpGP_
	enlu5xSNKV.exe	Get hash	malicious	Browse	www.mels.ink/jzvu/?T48h3FW=iJYv1UkuT0Zpi+IGsxHty87S2Dat4Pv7Wp3PPo6PPkk3ttxekOlDn9vNvymr9ZuQ7HO4&GPGXR=rVgD9v10QRyTEj
	KL9fcbfrMB.exe	Get hash	malicious	Browse	www.micheldrake.com/p2io/?TT=FjUh3Tu&idCtDnlP=d2NgnqRSaE399kDepSeXKrGILlrAeXd0mpr9jEILXnCNsbPLuX7uZtRN+ZZx/uILlcnE
	Bs04AQyK2o.exe	Get hash	malicious	Browse	www.blake-skinner.com/cyna/?GzuD=PDCWDhm1FORq+rZomwaGxMfk5udIXQ8UnpXBsbRxRfrc3sHkOqGAjqDUEuQ1Be52SJ1X&AnB=O0DXDNwPE

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-26496-GO-DADDY-COM-LLCUS	SWIFT 00395_IMG.exe	Get hash	malicious	Browse	184.168.131.241
	4GGwmv0AJm.exe	Get hash	malicious	Browse	50.62.168.157
	c647b2da_by_Libranalysis.exe	Get hash	malicious	Browse	184.168.131.241
	HAWB AND INV.exe	Get hash	malicious	Browse	107.180.57.119
	Inquiry 05042021.doc	Get hash	malicious	Browse	107.180.43.16
	don.exe	Get hash	malicious	Browse	184.168.131.241
	Comand#U0103 de achizi#U021bie PP050321.exe	Get hash	malicious	Browse	184.168.131.241
	O1E623TjjW.exe	Get hash	malicious	Browse	184.168.131.241
	product specification.xlsx	Get hash	malicious	Browse	184.168.131.241
	9DWvynenEDJ11fY.exe	Get hash	malicious	Browse	184.168.131.241
	PURCHASE ORDER.exe	Get hash	malicious	Browse	184.168.131.241
	ETC-B72-LT-0149-03-AR.exe	Get hash	malicious	Browse	184.168.131.241
	SecuriteInfo.com.Heur.3869.xls	Get hash	malicious	Browse	192.186.217.35
	SecuriteInfo.com.Heur.3869.xls	Get hash	malicious	Browse	192.186.217.35
	SecuriteInfo.com.Heur.12433.xls	Get hash	malicious	Browse	192.186.217.35
	SecuriteInfo.com.Heur.12433.xls	Get hash	malicious	Browse	192.186.217.35
	Documents_1906038956_974385067.xls	Get hash	malicious	Browse	192.186.217.35
	Documents_1906038956_974385067.xls	Get hash	malicious	Browse	192.186.217.35
	Bill Of Lading & Packing List.pdf.gz.exe	Get hash	malicious	Browse	107.180.44.132
	SecuriteInfo.com.Heur.3421.xls	Get hash	malicious	Browse	192.186.217.35
AUTOMATTICUS	08917506_by_Libranalysis.exe	Get hash	malicious	Browse	192.0.78.24
	4GGwmv0AJm.exe	Get hash	malicious	Browse	192.0.78.25
	c647b2da_by_Libranalysis.exe	Get hash	malicious	Browse	192.0.78.12
	0d69e4f6_by_Libranalysis.xls	Get hash	malicious	Browse	192.0.78.25
	wMqdemYyHm.exe	Get hash	malicious	Browse	192.0.78.25
	MSUtbPjUGib2dvd.exe	Get hash	malicious	Browse	192.0.78.25
	PROFORMA INVOICE-INV393456434.pdf.exe	Get hash	malicious	Browse	192.0.78.25
	agnesng@hanglung.comOnedrive.html	Get hash	malicious	Browse	192.0.77.2
	PO_29_00412.exe	Get hash	malicious	Browse	192.0.78.25
	Enrollment_Benefits-2022.docx	Get hash	malicious	Browse	192.0.66.2
	Enrollment_Benefits-2022.docx	Get hash	malicious	Browse	192.0.66.2
	DVO100024000.doc	Get hash	malicious	Browse	192.0.78.24
	ofert#U0103 comand#U0103 de cump#U0103rare_pdf.exe	Get hash	malicious	Browse	192.0.78.25
	PAGO 50,867.00 USD (ANTICIPO) 23042021 DOC-20204207MT-1.exe	Get hash	malicious	Browse	192.0.78.25
	Rio International LLC URGENT REQUEST FOR QUOTATION.exe	Get hash	malicious	Browse	192.0.78.25
	RDAx9iDSEL.exe	Get hash	malicious	Browse	192.0.78.25
	order drawing 101.exe	Get hash	malicious	Browse	192.0.78.25
	lFfDzzZYTl.exe	Get hash	malicious	Browse	192.0.78.24
	SA-NQAW12n-NC9W03-pdf.exe	Get hash	malicious	Browse	192.0.78.25
	SWIFT COPY.exe	Get hash	malicious	Browse	192.0.78.246
EGIHOSTINGUS	a3aa510e_by_Libranalysis.exe	Get hash	malicious	Browse	104.252.43.114
	Airwaybill # 6913321715.exe	Get hash	malicious	Browse	107.165.10.98
	PURCHASE ORDER.exe	Get hash	malicious	Browse	45.38.16.182
	DocNo2300058329.doc__.rtf	Get hash	malicious	Browse	104.252.43.114
	Bill Of Lading & Packing List.pdf.gz.exe	Get hash	malicious	Browse	104.252.53.97
	pVrqrGltiL.exe	Get hash	malicious	Browse	50.118.250.118
	PO#10244.exe	Get hash	malicious	Browse	45.39.20.158
	M23ErBe32Z0IeOO.exe	Get hash	malicious	Browse	104.252.6.32
	REVISED PURCHASE ORDER.exe	Get hash	malicious	Browse	45.38.16.182
	z5Wqivscwd.exe	Get hash	malicious	Browse	104.252.38.60
	New order.04272021.DOC.exe	Get hash	malicious	Browse	166.88.252.48
	PI34567890987.exe	Get hash	malicious	Browse	104.164.224.84
	PAGO 50,867.00 USD (ANTICIPO) 23042021 DOC-20204207MT-1.exe	Get hash	malicious	Browse	45.39.35.49
	Quotation Sheet - RFQ26042021.doc	Get hash	malicious	Browse	142.111.21.219
	Bank Details Pdf.exe	Get hash	malicious	Browse	107.186.135.239
	DXBR001342103.exe	Get hash	malicious	Browse	104.252.53.97
	5PthEm83NG.exe	Get hash	malicious	Browse	142.111.47.2
	4EQNFqt5Nm.exe	Get hash	malicious	Browse	107.164.222.94
	z3hir.x86	Get hash	malicious	Browse	172.252.255.254
	Financial Results April 21.pptx (9,753K).exe	Get hash	malicious	Browse	107.165.116.66

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\0y2c2kp8hi4mjyo Download File
Process:	C:\Users\user\Desktop\TT.exe
File Type:	data
Category:	dropped
Size (bytes):	6661
Entropy (8bit):	7.963770055031023
Encrypted:	false
SSDEEP:	192:SimHkX3ewaiyPJsxWqCU6B4/bHAde+xhUYX3br:SzkHhQPJsxLl+4/bHGe+xhU6br
MD5:	29D5136A5CEBC1CC9D92D96344C5B940
SHA1:	60CA9749C6D7927AE081E54333D7CEB0B1D90E71
SHA-256:	0A96FEF5360AF7477BE785AE5EA73E12B6CEE800CDCC4D405A2C9E6E8A8A5472
SHA-512:	8FAC511CDA60762BAC0C7A1C7C4D717D8066DFB43D7DF83EAB07C89239153D49849BFEA3AD60E74A9329C1A35E928EAE8E1E45DECF9FA3F7A1C3EC6B7149ACE7
Malicious:	false
Reputation:	low
Preview:	..].u-......$.-.G...sZ.H....2..c..y.YW....r%Z....&_..Q.HYy......<^.0O.......Vw.WwO\|..C....r...f...%.v.../x<.z..%....yX.Dbh..X.Jk..wL....."..k.+#...B..fj:"..v.p...s.A ?..Q...&..0.<........7+Ix....%......%B.O....^Ih.qLiMY...<...d~..0..(.N..#.....F.d...""..#.?...8.I.....sk..p.....xl...q...h..]](.T...s.W<.0e.h.@.K.k..:t.g..E.2U.[..B..lM.]iu6N.x...0...x...7...=i..[...s.9..E....F.\}...^..#.0.9>.......t..\T,...h.....i.kJ-.R....OTua%@._..z..$n..q.=.....z.r...>.....<.....zj7.O....`./..._...ot...z[.b{.....Ab...lM.xRC$.DT..JL.?W.u9......5...............0...:.....-Z.iM...z.c...2..x8W..cB....\.zq.;....;.......{k.m.nO.~.d."j.6g.}..uu...,..X8..`.L.q)..]'_~.K!I&.Q!y....+..Z..=H.7.&T<[z.ejT.....r....Ih..4.>.@.b.lh.Z.v"]..%.W.t.*.@./.f...DL9..7V.fC...#y.........`...Z$..YMV...G..Y.9...,....7C...>!#.....".3_.9V.v..%....5'zKp.......z...nX.w..\;.aO.....1Nn<Hz.....~y ~.i."..H.\}..x$U.$.......vW/..ctR.@?.U.h%h.....i+..{x....]...Q.n\|..{z."mq.%.P.x...&..pC.=...

C:\Users\user\AppData\Local\Temp\fcd80q5almvhl9patzxy Download File
Process:	C:\Users\user\Desktop\TT.exe
File Type:	data
Category:	dropped
Size (bytes):	185856
Entropy (8bit):	7.9991875975833
Encrypted:	true
SSDEEP:	3072:CK9gUhvV+Vq661sHb3+/T951XpBBxDnoVWmg3Sqa8w2pq5iYvTID4qvcRP:v1hvV+EuHbE551ZBXDn5mg3SS48DT0P
MD5:	CD814429874D77D4228FC5B1614F78B8
SHA1:	319F2CDE578488373E81CC90D83C03DFB3869B62
SHA-256:	DF65396F209C8E9B4A9C3641E12C86512F36D61C72D132A22B9FD402D0B96454
SHA-512:	7A08BB5DB2FD88C0E86CA549C2227DE3D4AD9726EA9562ED46B70A74F29A124679D36B4C2BB4DF203994DA1F80F67A6FD908FF27CB7FAE68F8111803DC27657F
Malicious:	false
Reputation:	low
Preview:	..u..S~.....sl.x8..R.....@c.......p_...p... 8.mc..G..l..@.a.6......zt\|X...c.....!..Y..c..\|..`..L.5..H.2.."y.[-2..C'..!..{......l%h..N......3.i.....~.-.f.Y.....?#....yn.=.G"..?.%..c.)7C5..A....~WS:.}+.6.......#.P.qt.....t..a....Z.?f.L.....4.V....c6..R......A......mF....7....Sh"SL<...R....D..pi.Ao..Ct.....9...../R.F...u:.......`N.{..H...Y.....g.10"-.y.]vt.....:....ic.].....`..7,..>.......j...8......".....y.......E.Y.....l.A.-...?..d.Qf..(..3..zO.Qf.R..A...a..'.k.(..4......tc.D&.&..!x.9.}SA9h..y\|.f..x..W9..y.oo.0\|.Y......`...{.B+W..:`.s...D.^..;...f.q.2...l..@...Z .A..5....9.`....2..&..%.,US2......oy.i4.jT.7.qS7..nQ.0.....3..%........Zb.H.......mEiG.=.V.9,kI..u.r...h.SV^.i(..=.Z.d$.%\.k.qx2...t..C.X.(R......`....#K..=s.~...lxE..)..o..\ 3..."7.Eb....(.^s(...v.\|P...I.....-.......f...J.si.v.V.w.}XG0#.3[.....6.G....P..].k.G..aZ..R....!...lM.2.`z.7nJU..~.`....=..=.B......"... ...1&....F.../....d.....8._<...3=.D/5....a.(.bI..;k6.H.....1.K..N.>"

C:\Users\user\AppData\Local\Temp\nse2C42.tmp\myx92o78208f0o.dll Download File
Process:	C:\Users\user\Desktop\TT.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	4.259466324255951
Encrypted:	false
SSDEEP:	96:BSEn1ASkfNDZ+tCEYB0IvlPxul4jdkpN3U:BSrX7JpEajdkpN3
MD5:	8BB43D922F43F1EFF660149AE2561939
SHA1:	AA781D53BF123D1DEAD8C960EEBB1079412B36F1
SHA-256:	E61D2234DE5A9841B5685B5FF23A2BAA6D56F564CDAFBA16709327ADB642C2D1
SHA-512:	76DBF56E555404296B185DE8B512DD287CB791B0BBDD2882DD2A86DBEED28551EE57E7B699FC0B5133171A4B47155CCE6AFB7C02C908578E130856092955E96B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9.}XX..XX..XX...0./]X....,.UX..XX..xX...1./YX...1./YX...1./YX..RichXX..........PE..L......`...........!......................... ...............................@......................................p!..P...."....................................... ............................... ..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...L....0......................@...........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsj2C12.tmp Download File
Process:	C:\Users\user\Desktop\TT.exe
File Type:	data
Category:	dropped
Size (bytes):	200878
Entropy (8bit):	7.953929630191505
Encrypted:	false
SSDEEP:	6144:GkO1hvV+EuHbE551ZBXDn5mg3SS48DT0:AbZGbeTn55T
MD5:	B3F76B4476659ABABAFB2F9E8F5BC0A5
SHA1:	6BDC8E0CC5A7503048F5700D7A771E85EF7C732B
SHA-256:	B96AA6E0B6B3A074084C2901C633CD5D150EC1DB6A00DC50A7C9B98E76DB12CF
SHA-512:	23146C5150D1D0F04CD0AF31FC653650F7FE851F0BF464075837640A97C468016F800A1F0A822C04683ABD14C61186DD12AD0F7DCAD3FD9446EF76D01458109C
Malicious:	false
Reputation:	low
Preview:	........,...................................................................................................................................................................................................................................................................................J...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.895457089286785
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	TT.exe
File size:	233940
MD5:	27c863c479b0542b3bad21a67ad1406d
SHA1:	791e1d123c275ac4451c5550635c0a67eb4398a6
SHA256:	2a7a9c6d4505766ddf0a6c7dde9c2ae52369408fbe5ce93d0d3d76bf992b28dd
SHA512:	9b66354f49ade9d600e741cb2e626796830260745b1cd7540d611dc19e8576cacad95a9e03614ba36149df440cbe1efb7de5e73b4fce3a4ab7d60c42451b04da
SSDEEP:	6144:lPXZu0jlSr+Op4w+ZTXu4kVZxnnghYuLj+GblVMD/TLrZp:TDjIp49ZTqhsYuLqCSL/n
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG..sw..PG..VA..PG.Rich.PG.........PE..L.....$_.................d..........a4............@

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General
Entrypoint:	0x403461
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5F24D6E4 [Sat Aug 1 02:43:48 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ea4e67a31ace1a72683a99b80cf37830

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080B0h]
call dword ptr [004080C0h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042474Ch], eax
je 00007FDE24E73463h
push ebx
call 00007FDE24E765DEh
cmp eax, ebx
je 00007FDE24E73459h
push 00000C00h
call eax
mov esi, 004082A0h
push esi
call 00007FDE24E7655Ah
push esi
call dword ptr [004080B8h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007FDE24E7343Dh
push 0000000Bh
call 00007FDE24E765B2h
push 00000009h
call 00007FDE24E765ABh
push 00000007h
mov dword ptr [00424744h], eax
call 00007FDE24E7659Fh
cmp eax, ebx
je 00007FDE24E73461h
push 0000001Eh
call eax
test eax, eax
je 00007FDE24E73459h
or byte ptr [0042474Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408288h]
mov dword ptr [00424818h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041FD10h
call dword ptr [0040816Ch]
push 0040A1ECh

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8438	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2d000	0xa50	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x623c	0x6400	False	0.65859375	data	6.40257705324	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1274	0x1400	False	0.43359375	data	5.05749598324	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1a858	0x600	False	0.445963541667	data	4.08975001509	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x25000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2d000	0xa50	0xc00	False	0.402994791667	data	4.1909607241	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2d190	0x2e8	data	English	United States
RT_DIALOG	0x2d478	0x100	data	English	United States
RT_DIALOG	0x2d578	0x11c	data	English	United States
RT_DIALOG	0x2d698	0x60	data	English	United States
RT_GROUP_ICON	0x2d6f8	0x14	data	English	United States
RT_MANIFEST	0x2d710	0x340	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, GetTempFileNameA, RemoveDirectoryA, WriteFile, CreateDirectoryA, GetLastError, CreateProcessA, GlobalLock, GlobalUnlock, CreateThread, lstrcpynA, SetErrorMode, GetDiskFreeSpaceA, lstrlenA, GetCommandLineA, GetVersion, GetWindowsDirectoryA, SetEnvironmentVariableA, GetTempPathA, CopyFileA, GetCurrentProcess, ExitProcess, GetModuleFileNameA, GetFileSize, ReadFile, GetTickCount, Sleep, CreateFileA, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/04/21-15:41:42.977363	ICMP	384	ICMP PING			192.168.2.6	13.107.4.50
05/04/21-15:41:43.014361	ICMP	449	ICMP Time-To-Live Exceeded in Transit			84.17.52.126	192.168.2.6
05/04/21-15:41:43.015936	ICMP	384	ICMP PING			192.168.2.6	13.107.4.50
05/04/21-15:41:43.052119	ICMP	449	ICMP Time-To-Live Exceeded in Transit			5.56.20.161	192.168.2.6
05/04/21-15:41:43.053773	ICMP	384	ICMP PING			192.168.2.6	13.107.4.50
05/04/21-15:41:43.092112	ICMP	449	ICMP Time-To-Live Exceeded in Transit			91.206.52.152	192.168.2.6
05/04/21-15:41:43.095066	ICMP	384	ICMP PING			192.168.2.6	13.107.4.50
05/04/21-15:41:46.656561	ICMP	384	ICMP PING			192.168.2.6	13.107.4.50
05/04/21-15:41:50.660407	ICMP	384	ICMP PING			192.168.2.6	13.107.4.50
05/04/21-15:41:54.656546	ICMP	384	ICMP PING			192.168.2.6	13.107.4.50
05/04/21-15:41:58.657044	ICMP	384	ICMP PING			192.168.2.6	13.107.4.50
05/04/21-15:42:02.663919	ICMP	384	ICMP PING			192.168.2.6	13.107.4.50
05/04/21-15:42:06.658201	ICMP	384	ICMP PING			192.168.2.6	13.107.4.50
05/04/21-15:42:10.658652	ICMP	384	ICMP PING			192.168.2.6	13.107.4.50
05/04/21-15:42:14.660420	ICMP	384	ICMP PING			192.168.2.6	13.107.4.50
05/04/21-15:42:18.705109	ICMP	384	ICMP PING			192.168.2.6	13.107.4.50
05/04/21-15:42:22.659447	ICMP	384	ICMP PING			192.168.2.6	13.107.4.50
05/04/21-15:42:26.659303	ICMP	384	ICMP PING			192.168.2.6	13.107.4.50
05/04/21-15:42:30.660211	ICMP	384	ICMP PING			192.168.2.6	13.107.4.50
05/04/21-15:42:30.696138	ICMP	408	ICMP Echo Reply			13.107.4.50	192.168.2.6
05/04/21-15:43:53.413305	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49750	34.98.99.30	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 15:42:50.230664015 CEST	49735	80	192.168.2.6	192.0.78.24
May 4, 2021 15:42:50.273006916 CEST	80	49735	192.0.78.24	192.168.2.6
May 4, 2021 15:42:50.273149014 CEST	49735	80	192.168.2.6	192.0.78.24
May 4, 2021 15:42:50.273303986 CEST	49735	80	192.168.2.6	192.0.78.24
May 4, 2021 15:42:50.315745115 CEST	80	49735	192.0.78.24	192.168.2.6
May 4, 2021 15:42:50.315778017 CEST	80	49735	192.0.78.24	192.168.2.6
May 4, 2021 15:42:50.315784931 CEST	80	49735	192.0.78.24	192.168.2.6
May 4, 2021 15:42:50.316112995 CEST	49735	80	192.168.2.6	192.0.78.24
May 4, 2021 15:42:50.316195011 CEST	49735	80	192.168.2.6	192.0.78.24
May 4, 2021 15:42:50.356570959 CEST	80	49735	192.0.78.24	192.168.2.6
May 4, 2021 15:43:10.725258112 CEST	49741	80	192.168.2.6	107.165.149.13
May 4, 2021 15:43:10.926847935 CEST	80	49741	107.165.149.13	192.168.2.6
May 4, 2021 15:43:10.926980019 CEST	49741	80	192.168.2.6	107.165.149.13
May 4, 2021 15:43:10.927222013 CEST	49741	80	192.168.2.6	107.165.149.13
May 4, 2021 15:43:11.182739973 CEST	80	49741	107.165.149.13	192.168.2.6
May 4, 2021 15:43:11.412791014 CEST	49741	80	192.168.2.6	107.165.149.13
May 4, 2021 15:43:11.669020891 CEST	80	49741	107.165.149.13	192.168.2.6
May 4, 2021 15:43:34.022903919 CEST	49749	80	192.168.2.6	107.180.41.236
May 4, 2021 15:43:34.155426025 CEST	80	49749	107.180.41.236	192.168.2.6
May 4, 2021 15:43:34.155611992 CEST	49749	80	192.168.2.6	107.180.41.236
May 4, 2021 15:43:34.155756950 CEST	49749	80	192.168.2.6	107.180.41.236
May 4, 2021 15:43:34.290843964 CEST	80	49749	107.180.41.236	192.168.2.6
May 4, 2021 15:43:34.301795006 CEST	80	49749	107.180.41.236	192.168.2.6
May 4, 2021 15:43:34.301826954 CEST	80	49749	107.180.41.236	192.168.2.6
May 4, 2021 15:43:34.302002907 CEST	49749	80	192.168.2.6	107.180.41.236
May 4, 2021 15:43:34.302054882 CEST	49749	80	192.168.2.6	107.180.41.236
May 4, 2021 15:43:34.434403896 CEST	80	49749	107.180.41.236	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 15:41:36.144141912 CEST	53	49283	8.8.8.8	192.168.2.6
May 4, 2021 15:41:36.154351950 CEST	53	58377	8.8.8.8	192.168.2.6
May 4, 2021 15:41:37.403296947 CEST	55074	53	192.168.2.6	8.8.8.8
May 4, 2021 15:41:37.453011990 CEST	53	55074	8.8.8.8	192.168.2.6
May 4, 2021 15:41:38.183526993 CEST	54513	53	192.168.2.6	8.8.8.8
May 4, 2021 15:41:38.234077930 CEST	53	54513	8.8.8.8	192.168.2.6
May 4, 2021 15:41:38.975087881 CEST	62044	53	192.168.2.6	8.8.8.8
May 4, 2021 15:41:39.023847103 CEST	53	62044	8.8.8.8	192.168.2.6
May 4, 2021 15:41:39.787544012 CEST	63791	53	192.168.2.6	8.8.8.8
May 4, 2021 15:41:39.838179111 CEST	53	63791	8.8.8.8	192.168.2.6
May 4, 2021 15:41:39.877981901 CEST	64267	53	192.168.2.6	8.8.8.8
May 4, 2021 15:41:39.937056065 CEST	53	64267	8.8.8.8	192.168.2.6
May 4, 2021 15:41:40.619221926 CEST	49448	53	192.168.2.6	8.8.8.8
May 4, 2021 15:41:40.667752028 CEST	53	49448	8.8.8.8	192.168.2.6
May 4, 2021 15:41:42.016491890 CEST	60342	53	192.168.2.6	8.8.8.8
May 4, 2021 15:41:42.070719004 CEST	53	60342	8.8.8.8	192.168.2.6
May 4, 2021 15:41:42.908386946 CEST	61346	53	192.168.2.6	8.8.8.8
May 4, 2021 15:41:42.963763952 CEST	51774	53	192.168.2.6	8.8.8.8
May 4, 2021 15:41:42.976145983 CEST	53	61346	8.8.8.8	192.168.2.6
May 4, 2021 15:41:43.014395952 CEST	53	51774	8.8.8.8	192.168.2.6
May 4, 2021 15:41:43.920546055 CEST	56023	53	192.168.2.6	8.8.8.8
May 4, 2021 15:41:43.969271898 CEST	53	56023	8.8.8.8	192.168.2.6
May 4, 2021 15:41:44.781716108 CEST	58384	53	192.168.2.6	8.8.8.8
May 4, 2021 15:41:44.833266973 CEST	53	58384	8.8.8.8	192.168.2.6
May 4, 2021 15:41:45.841543913 CEST	60261	53	192.168.2.6	8.8.8.8
May 4, 2021 15:41:45.893538952 CEST	53	60261	8.8.8.8	192.168.2.6
May 4, 2021 15:41:50.925205946 CEST	56061	53	192.168.2.6	8.8.8.8
May 4, 2021 15:41:50.973963976 CEST	53	56061	8.8.8.8	192.168.2.6
May 4, 2021 15:41:51.722230911 CEST	58336	53	192.168.2.6	8.8.8.8
May 4, 2021 15:41:51.773081064 CEST	53	58336	8.8.8.8	192.168.2.6
May 4, 2021 15:41:52.557533026 CEST	53781	53	192.168.2.6	8.8.8.8
May 4, 2021 15:41:52.606292009 CEST	53	53781	8.8.8.8	192.168.2.6
May 4, 2021 15:41:53.388611078 CEST	54064	53	192.168.2.6	8.8.8.8
May 4, 2021 15:41:53.437273026 CEST	53	54064	8.8.8.8	192.168.2.6
May 4, 2021 15:41:54.189666986 CEST	52811	53	192.168.2.6	8.8.8.8
May 4, 2021 15:41:54.249763966 CEST	53	52811	8.8.8.8	192.168.2.6
May 4, 2021 15:41:56.150414944 CEST	55299	53	192.168.2.6	8.8.8.8
May 4, 2021 15:41:56.205647945 CEST	53	55299	8.8.8.8	192.168.2.6
May 4, 2021 15:41:57.167248011 CEST	63745	53	192.168.2.6	8.8.8.8
May 4, 2021 15:41:57.216856956 CEST	53	63745	8.8.8.8	192.168.2.6
May 4, 2021 15:41:57.950267076 CEST	50055	53	192.168.2.6	8.8.8.8
May 4, 2021 15:41:57.999723911 CEST	53	50055	8.8.8.8	192.168.2.6
May 4, 2021 15:42:13.421814919 CEST	61374	53	192.168.2.6	8.8.8.8
May 4, 2021 15:42:13.470455885 CEST	53	61374	8.8.8.8	192.168.2.6
May 4, 2021 15:42:17.391310930 CEST	50339	53	192.168.2.6	8.8.8.8
May 4, 2021 15:42:17.458028078 CEST	53	50339	8.8.8.8	192.168.2.6
May 4, 2021 15:42:32.362274885 CEST	63307	53	192.168.2.6	8.8.8.8
May 4, 2021 15:42:32.421595097 CEST	53	63307	8.8.8.8	192.168.2.6
May 4, 2021 15:42:34.557418108 CEST	49694	53	192.168.2.6	8.8.8.8
May 4, 2021 15:42:34.606385946 CEST	53	49694	8.8.8.8	192.168.2.6
May 4, 2021 15:42:40.547815084 CEST	54982	53	192.168.2.6	8.8.8.8
May 4, 2021 15:42:40.821396112 CEST	53	54982	8.8.8.8	192.168.2.6
May 4, 2021 15:42:41.585339069 CEST	50010	53	192.168.2.6	8.8.8.8
May 4, 2021 15:42:41.679277897 CEST	53	50010	8.8.8.8	192.168.2.6
May 4, 2021 15:42:42.254551888 CEST	63718	53	192.168.2.6	8.8.8.8
May 4, 2021 15:42:42.312946081 CEST	53	63718	8.8.8.8	192.168.2.6
May 4, 2021 15:42:43.001288891 CEST	62116	53	192.168.2.6	8.8.8.8
May 4, 2021 15:42:43.061049938 CEST	53	62116	8.8.8.8	192.168.2.6
May 4, 2021 15:42:43.135248899 CEST	63816	53	192.168.2.6	8.8.8.8
May 4, 2021 15:42:43.208237886 CEST	53	63816	8.8.8.8	192.168.2.6
May 4, 2021 15:42:43.626993895 CEST	55014	53	192.168.2.6	8.8.8.8
May 4, 2021 15:42:43.773308992 CEST	53	55014	8.8.8.8	192.168.2.6
May 4, 2021 15:42:44.393929005 CEST	62208	53	192.168.2.6	8.8.8.8
May 4, 2021 15:42:44.456362963 CEST	53	62208	8.8.8.8	192.168.2.6
May 4, 2021 15:42:44.964993954 CEST	57574	53	192.168.2.6	8.8.8.8
May 4, 2021 15:42:45.022119999 CEST	53	57574	8.8.8.8	192.168.2.6
May 4, 2021 15:42:46.039253950 CEST	51818	53	192.168.2.6	8.8.8.8
May 4, 2021 15:42:46.087892056 CEST	53	51818	8.8.8.8	192.168.2.6
May 4, 2021 15:42:46.944619894 CEST	56628	53	192.168.2.6	8.8.8.8
May 4, 2021 15:42:47.010560036 CEST	53	56628	8.8.8.8	192.168.2.6
May 4, 2021 15:42:47.598464012 CEST	60778	53	192.168.2.6	8.8.8.8
May 4, 2021 15:42:47.649784088 CEST	53	60778	8.8.8.8	192.168.2.6
May 4, 2021 15:42:50.158595085 CEST	53799	53	192.168.2.6	8.8.8.8
May 4, 2021 15:42:50.224337101 CEST	53	53799	8.8.8.8	192.168.2.6
May 4, 2021 15:42:51.498380899 CEST	54683	53	192.168.2.6	8.8.8.8
May 4, 2021 15:42:51.564037085 CEST	53	54683	8.8.8.8	192.168.2.6
May 4, 2021 15:43:10.514071941 CEST	59329	53	192.168.2.6	8.8.8.8
May 4, 2021 15:43:10.723694086 CEST	53	59329	8.8.8.8	192.168.2.6
May 4, 2021 15:43:16.073816061 CEST	64021	53	192.168.2.6	8.8.8.8
May 4, 2021 15:43:16.134013891 CEST	53	64021	8.8.8.8	192.168.2.6
May 4, 2021 15:43:20.654659986 CEST	65084	53	192.168.2.6	8.8.8.8
May 4, 2021 15:43:20.655381918 CEST	52751	53	192.168.2.6	8.8.8.8
May 4, 2021 15:43:20.703342915 CEST	53	65084	8.8.8.8	192.168.2.6
May 4, 2021 15:43:20.712234020 CEST	53	52751	8.8.8.8	192.168.2.6
May 4, 2021 15:43:20.714982986 CEST	50286	53	192.168.2.6	8.8.8.8
May 4, 2021 15:43:20.778337002 CEST	53	50286	8.8.8.8	192.168.2.6
May 4, 2021 15:43:22.157166004 CEST	56129	53	192.168.2.6	8.8.8.8
May 4, 2021 15:43:22.230182886 CEST	53	56129	8.8.8.8	192.168.2.6
May 4, 2021 15:43:24.101075888 CEST	58177	53	192.168.2.6	8.8.8.8
May 4, 2021 15:43:24.166117907 CEST	53	58177	8.8.8.8	192.168.2.6
May 4, 2021 15:43:33.962656021 CEST	50700	53	192.168.2.6	8.8.8.8
May 4, 2021 15:43:34.021742105 CEST	53	50700	8.8.8.8	192.168.2.6
May 4, 2021 15:43:53.159787893 CEST	54069	53	192.168.2.6	8.8.8.8
May 4, 2021 15:43:53.231976032 CEST	53	54069	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 4, 2021 15:42:50.158595085 CEST	192.168.2.6	8.8.8.8	0xd9d3	Standard query (0)	www.philreid4cc.com	A (IP address)	IN (0x0001)
May 4, 2021 15:43:10.514071941 CEST	192.168.2.6	8.8.8.8	0xf2af	Standard query (0)	www.sectorulb.com	A (IP address)	IN (0x0001)
May 4, 2021 15:43:33.962656021 CEST	192.168.2.6	8.8.8.8	0xd76a	Standard query (0)	www.lagrangewildliferemoval.com	A (IP address)	IN (0x0001)
May 4, 2021 15:43:53.159787893 CEST	192.168.2.6	8.8.8.8	0x545f	Standard query (0)	www.umlausa.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 4, 2021 15:42:50.224337101 CEST	8.8.8.8	192.168.2.6	0xd9d3	No error (0)	www.philreid4cc.com	philreid4cc.com		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 15:42:50.224337101 CEST	8.8.8.8	192.168.2.6	0xd9d3	No error (0)	philreid4cc.com		192.0.78.24	A (IP address)	IN (0x0001)
May 4, 2021 15:42:50.224337101 CEST	8.8.8.8	192.168.2.6	0xd9d3	No error (0)	philreid4cc.com		192.0.78.25	A (IP address)	IN (0x0001)
May 4, 2021 15:43:10.723694086 CEST	8.8.8.8	192.168.2.6	0xf2af	No error (0)	www.sectorulb.com		107.165.149.13	A (IP address)	IN (0x0001)
May 4, 2021 15:43:34.021742105 CEST	8.8.8.8	192.168.2.6	0xd76a	No error (0)	www.lagrangewildliferemoval.com	lagrangewildliferemoval.com		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 15:43:34.021742105 CEST	8.8.8.8	192.168.2.6	0xd76a	No error (0)	lagrangewildliferemoval.com		107.180.41.236	A (IP address)	IN (0x0001)
May 4, 2021 15:43:53.231976032 CEST	8.8.8.8	192.168.2.6	0x545f	No error (0)	www.umlausa.com	umlausa.com		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 15:43:53.231976032 CEST	8.8.8.8	192.168.2.6	0x545f	No error (0)	umlausa.com		34.98.99.30	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.philreid4cc.com

www.sectorulb.com

www.lagrangewildliferemoval.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49735	192.0.78.24	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 4, 2021 15:42:50.273303986 CEST	2229	OUT	GET /dxe/?oZN=7nbLudZHS&mdslXXV=s4725d3Oabb4GJPvvzs1NGtrQqdCSFbT14B5hiC+hEbCkkM6v8NMU0M9YHV7hr/JdwNsVvK8Ug== HTTP/1.1 Host: www.philreid4cc.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 4, 2021 15:42:50.315778017 CEST	2230	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Tue, 04 May 2021 13:42:50 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.philreid4cc.com/dxe/?oZN=7nbLudZHS&mdslXXV=s4725d3Oabb4GJPvvzs1NGtrQqdCSFbT14B5hiC+hEbCkkM6v8NMU0M9YHV7hr/JdwNsVvK8Ug== X-ac: 2.hhn _dfw Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49741	107.165.149.13	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 4, 2021 15:43:10.927222013 CEST	5159	OUT	GET /dxe/?mdslXXV=c1qXo+D3OeWS7aQwzsMJrh0J2W+ZcnXSIybZATOUAxrA4uZvd+OeJvPZ6sfOQ4L/XOcBlc02WQ==&oZN=7nbLudZHS HTTP/1.1 Host: www.sectorulb.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49749	107.180.41.236	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 4, 2021 15:43:34.155756950 CEST	5189	OUT	GET /dxe/?oZN=7nbLudZHS&mdslXXV=pSmvUx3Cd9o2ehLRUYmTuUG+rz67XAZoYuLBzxOhEanl5TCXMyweO2X8MqC68oVFQcjckZtQvA== HTTP/1.1 Host: www.lagrangewildliferemoval.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 4, 2021 15:43:34.301795006 CEST	5190	IN	HTTP/1.1 404 Not Found Date: Tue, 04 May 2021 13:43:34 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x85 0x5E 0xEE
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8D 0xDE 0xEE
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8D 0xDE 0xEE
GetMessageA	INLINE	0x48 0x8B 0xB8 0x85 0x5E 0xEE

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: TT.exe PID: 6588 Parent PID: 5940

General

Start time:	15:41:44
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\TT.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\TT.exe'
Imagebase:	0x400000
File size:	233940 bytes
MD5 hash:	27C863C479B0542B3BAD21A67AD1406D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.344692024.0000000003030000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.344692024.0000000003030000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.344692024.0000000003030000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: TT.exe PID: 6624 Parent PID: 6588

General

Start time:	15:41:45
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\TT.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\TT.exe'
Imagebase:	0x400000
File size:	233940 bytes
MD5 hash:	27C863C479B0542B3BAD21A67AD1406D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.392835395.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.392835395.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.392835395.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.393512483.00000000009F0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.393512483.00000000009F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.393512483.00000000009F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.335739935.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.335739935.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.335739935.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.392976261.00000000005E0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.392976261.00000000005E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.392976261.00000000005E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exe PID: 3440 Parent PID: 6624

General

Start time:	15:41:50
Start date:	04/05/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6f22f0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: msdt.exe PID: 7052 Parent PID: 3440

General

Start time:	15:42:12
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\msdt.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\msdt.exe
Imagebase:	0xb20000
File size:	1508352 bytes
MD5 hash:	7F0C51DBA69B9DE5DDF6AA04CE3A69F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.597321036.0000000002F60000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.597321036.0000000002F60000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.597321036.0000000002F60000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.595686544.00000000007C0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.595686544.00000000007C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.595686544.00000000007C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.597417500.0000000002F90000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.597417500.0000000002F90000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.597417500.0000000002F90000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: cmd.exe PID: 6640 Parent PID: 7052

General

Start time:	15:42:16
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\TT.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6312 Parent PID: 6640

General

Start time:	15:42:16
Start date:	04/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report TT.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets