Play interactive tour

Edit tour

Analysis Report 5SXTKXCnqS

Overview

General Information

Sample Name:	5SXTKXCnqS (renamed file extension from none to exe)
Analysis ID:	432719
MD5:	cb4947e5c78ada624d22c28ee9079871
SHA1:	eb2c2d329e9be0b3a74582a4fd9c257bc795a690
SHA256:	02230fb80db0fe0055730a0af8b3a0c66a578b2c315206053b80bae250c5561d
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

5SXTKXCnqS.exe (PID: 5828 cmdline: 'C:\Users\user\Desktop\5SXTKXCnqS.exe' MD5: CB4947E5C78ADA624D22C28EE9079871)

5SXTKXCnqS.exe (PID: 4328 cmdline: 'C:\Users\user\Desktop\5SXTKXCnqS.exe' MD5: CB4947E5C78ADA624D22C28EE9079871)

explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

msdt.exe (PID: 4940 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)

cmd.exe (PID: 1384 cmdline: /c del 'C:\Users\user\Desktop\5SXTKXCnqS.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.updatesz.com/hlx/"], "decoy": ["firo.store", "unmeasured-grace.com", "burger-ff.com", "alcargomoversllc.com", "brianratkevich.com", "semugaralara01.net", "ngalvision.com", "texaslearningpods.com", "ontarioboatcharters.com", "kleinrugcleaning.com", "michaelvancebromfield.com", "habitameya.com", "elyoma.com", "worldtvepisode.com", "masatakahorie.com", "jumpinginfo.com", "hfjxhs.com", "bf-swiss.com", "rvingbus.com", "suxfi.com", "schoolcardtrades.com", "motion-airsoft.com", "123netflix.moe", "ic200mdl750.com", "silkensarees.com", "digitalmarketingtraining.xyz", "foypay.com", "eudoraacantik.com", "healthyandwealthie.com", "print-postcards-fast.com", "alpha-psych.com", "merthyrrock.com", "mss52.com", "cddcsw.com", "istanbulbisiklettamircisi.com", "ertugrulbey.net", "katarina-yoga.com", "findholmesinlaurelmaryland.com", "sabciu.net", "shipthuocnhanh24h.com", "veganonthegreens.com", "ailil-alvarez.com", "thefashionszone.com", "geminicomputerofficial.com", "terraveda.net", "ruhstorfer-gruppe.info", "suderstr.com", "yunjichem.com", "priyadubai.com", "sofierceboutique.com", "nealcurtiss.com", "mcgdinner.com", "steplife.info", "pwagih.com", "cpzgzcw.com", "wierzewzwierze.com", "asbestosconsultancyservices.com", "centerstageacademyaz.com", "skip1-dndasasd.com", "successteamrealty.com", "mijninboxe.com", "berkeleyrehab.com", "tfjxw.com", "mcluxuryrentals.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.314505627.00000000008D0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.314505627.00000000008D0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.314505627.00000000008D0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.496732172.0000000000720000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.496732172.0000000000720000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.496732172.0000000000720000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000001.237002642.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000001.237002642.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000001.237002642.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.499467789.00000000047C0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.499467789.00000000047C0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.499467789.00000000047C0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.314179672.00000000008A0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.314179672.00000000008A0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.314179672.00000000008A0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.313248208.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.313248208.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.313248208.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.499102168.0000000004680000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.499102168.0000000004680000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.499102168.0000000004680000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.240364615.0000000002170000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.240364615.0000000002170000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.240364615.0000000002170000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.5SXTKXCnqS.exe.2170000.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.5SXTKXCnqS.exe.2170000.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.5SXTKXCnqS.exe.2170000.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
0.2.5SXTKXCnqS.exe.2170000.3.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.5SXTKXCnqS.exe.2170000.3.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.5SXTKXCnqS.exe.2170000.3.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x175f9:$sqlite3step: 68 34 1C 7B E1 0x1770c:$sqlite3step: 68 34 1C 7B E1 0x17628:$sqlite3text: 68 38 2A 90 C5 0x1774d:$sqlite3text: 68 38 2A 90 C5 0x1763b:$sqlite3blob: 68 53 D8 7F 8C 0x17763:$sqlite3blob: 68 53 D8 7F 8C
2.2.5SXTKXCnqS.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.5SXTKXCnqS.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.5SXTKXCnqS.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x175f9:$sqlite3step: 68 34 1C 7B E1 0x1770c:$sqlite3step: 68 34 1C 7B E1 0x17628:$sqlite3text: 68 38 2A 90 C5 0x1774d:$sqlite3text: 68 38 2A 90 C5 0x1763b:$sqlite3blob: 68 53 D8 7F 8C 0x17763:$sqlite3blob: 68 53 D8 7F 8C
2.2.5SXTKXCnqS.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.5SXTKXCnqS.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.5SXTKXCnqS.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
2.1.5SXTKXCnqS.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.1.5SXTKXCnqS.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.1.5SXTKXCnqS.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
2.1.5SXTKXCnqS.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.1.5SXTKXCnqS.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.1.5SXTKXCnqS.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x175f9:$sqlite3step: 68 34 1C 7B E1 0x1770c:$sqlite3step: 68 34 1C 7B E1 0x17628:$sqlite3text: 68 38 2A 90 C5 0x1774d:$sqlite3text: 68 38 2A 90 C5 0x1763b:$sqlite3blob: 68 53 D8 7F 8C 0x17763:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries

Sigma Overview

System Summary:

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3472, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 4940

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000002.00000002.314505627.00000000008D0000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.updatesz.com/hlx/"], "decoy": ["firo.store", "unmeasured-grace.com", "burger-ff.com", "alcargomoversllc.com", "brianratkevich.com", "semugaralara01.net", "ngalvision.com", "texaslearningpods.com", "ontarioboatcharters.com", "kleinrugcleaning.com", "michaelvancebromfield.com", "habitameya.com", "elyoma.com", "worldtvepisode.com", "masatakahorie.com", "jumpinginfo.com", "hfjxhs.com", "bf-swiss.com", "rvingbus.com", "suxfi.com", "schoolcardtrades.com", "motion-airsoft.com", "123netflix.moe", "ic200mdl750.com", "silkensarees.com", "digitalmarketingtraining.xyz", "foypay.com", "eudoraacantik.com", "healthyandwealthie.com", "print-postcards-fast.com", "alpha-psych.com", "merthyrrock.com", "mss52.com", "cddcsw.com", "istanbulbisiklettamircisi.com", "ertugrulbey.net", "katarina-yoga.com", "findholmesinlaurelmaryland.com", "sabciu.net", "shipthuocnhanh24h.com", "veganonthegreens.com", "ailil-alvarez.com", "thefashionszone.com", "geminicomputerofficial.com", "terraveda.net", "ruhstorfer-gruppe.info", "suderstr.com", "yunjichem.com", "priyadubai.com", "sofierceboutique.com", "nealcurtiss.com", "mcgdinner.com", "steplife.info", "pwagih.com", "cpzgzcw.com", "wierzewzwierze.com", "asbestosconsultancyservices.com", "centerstageacademyaz.com", "skip1-dndasasd.com", "successteamrealty.com", "mijninboxe.com", "berkeleyrehab.com", "tfjxw.com", "mcluxuryrentals.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: 5SXTKXCnqS.exe	Virustotal: Detection: 30%			Perma Link
Source: 5SXTKXCnqS.exe	ReversingLabs: Detection: 29%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.314505627.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.496732172.0000000000720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000001.237002642.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.499467789.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.314179672.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.313248208.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.499102168.0000000004680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.240364615.0000000002170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.5SXTKXCnqS.exe.2170000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5SXTKXCnqS.exe.2170000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: 5SXTKXCnqS.exe

Joe Sandbox ML: detected

Source: 0.2.5SXTKXCnqS.exe.2170000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.5SXTKXCnqS.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 14.2.msdt.exe.b552b0.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.1.5SXTKXCnqS.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 14.2.msdt.exe.509f834.5.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: 5SXTKXCnqS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.288397745.0000000006FE0000.00000002.00000001.sdmp
Source:	Binary string: msdt.pdbGCTL source: 5SXTKXCnqS.exe, 00000002.00000002.315714674.0000000002A80000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: 5SXTKXCnqS.exe, 00000000.00000003.236649402.0000000009AA0000.00000004.00000001.sdmp, 5SXTKXCnqS.exe, 00000002.00000003.237181560.0000000000660000.00000004.00000001.sdmp, msdt.exe, 0000000E.00000002.500150489.0000000004C8F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 5SXTKXCnqS.exe, msdt.exe
Source:	Binary string: msdt.pdb source: 5SXTKXCnqS.exe, 00000002.00000002.315714674.0000000002A80000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.288397745.0000000006FE0000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 0_2_00405E61 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 0_2_0040263E FindFirstFileA,

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	File opened: C:\Users\user\AppData\Local\Temp\wkxohdeyqvvyr
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	File opened: C:\Users\user\AppData\Local\Temp\02vqprgl0atfidc
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	File opened: C:\Users\user
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	File opened: C:\Users\user\AppData\Local\Temp\nsaC26D.tmp
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	File opened: C:\Users\user\Desktop\5SXTKXCnqS.exe
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	File opened: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 4x nop then pop edi

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.updatesz.com/hlx/

Source: global traffic	HTTP traffic detected: GET /hlx/?wVSH=B58lx/xaXAfqMrblDg0CPLD4IpEHx1MuvfXEetjmXTR5BJPCAvCKa/uMIPwGmDqbiG+v&i0D=adKPlr HTTP/1.1Host: www.centerstageacademyaz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hlx/?wVSH=1q0nvnuESuCKkKkbLudmlC1kRF8eq+dUTLEJwYL638OOvnGjESXIW61pqUjqlD08HWSv&i0D=adKPlr HTTP/1.1Host: www.updatesz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 184.168.131.241 184.168.131.241

Source: Joe Sandbox View	ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: Joe Sandbox View	ASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS

Source: global traffic	HTTP traffic detected: GET /hlx/?wVSH=B58lx/xaXAfqMrblDg0CPLD4IpEHx1MuvfXEetjmXTR5BJPCAvCKa/uMIPwGmDqbiG+v&i0D=adKPlr HTTP/1.1Host: www.centerstageacademyaz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hlx/?wVSH=1q0nvnuESuCKkKkbLudmlC1kRF8eq+dUTLEJwYL638OOvnGjESXIW61pqUjqlD08HWSv&i0D=adKPlr HTTP/1.1Host: www.updatesz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.centerstageacademyaz.com

Source: msdt.exe, 0000000E.00000002.501612375.000000000558F000.00000004.00000001.sdmp	String found in binary or memory: http://centerstage.academy/hlx/?wVSH=B58lx/xaXAfqMrblDg0CPLD4IpEHx1MuvfXEetjmXTR5BJPCAvCKa/uMIPwGmDq
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: 5SXTKXCnqS.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 5SXTKXCnqS.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe

Code function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

Source: 5SXTKXCnqS.exe, 00000000.00000002.240155018.000000000077A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.314505627.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.496732172.0000000000720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000001.237002642.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.499467789.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.314179672.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.313248208.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.499102168.0000000004680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.240364615.0000000002170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.5SXTKXCnqS.exe.2170000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5SXTKXCnqS.exe.2170000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000002.00000002.314505627.00000000008D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.314505627.00000000008D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.496732172.0000000000720000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.496732172.0000000000720000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000001.237002642.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000001.237002642.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.499467789.00000000047C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.499467789.00000000047C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.314179672.00000000008A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.314179672.00000000008A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.313248208.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.313248208.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.499102168.0000000004680000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.499102168.0000000004680000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.240364615.0000000002170000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.240364615.0000000002170000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.5SXTKXCnqS.exe.2170000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.5SXTKXCnqS.exe.2170000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.5SXTKXCnqS.exe.2170000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.5SXTKXCnqS.exe.2170000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.1.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.1.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00419D50 NtCreateFile,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00419E00 NtReadFile,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00419E80 NtClose,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00419F30 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00419D4C NtCreateFile,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00419DFD NtReadFile,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00419E7A NtClose,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00419F2B NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F98F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F9840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F9860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F99A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F9A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F9A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F9A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F95D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F9540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F96E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F9660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F9780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F97A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F9710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F98A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F9820 NtEnumerateKey,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009FB040 NtSuspendThread,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F99D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F9950 NtQueueApcThread,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F9A80 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F9A10 NtQuerySection,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009FA3B0 NtGetContextThread,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F9B00 NtSetValueKey,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F95F0 NtQueryInformationFile,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009FAD30 NtSetContextThread,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F9520 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F9560 NtWriteFile,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F96D0 NtCreateKey,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F9610 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F9650 NtQueryValueKey,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F9670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD9860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD9840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD99A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD95D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD9540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD96E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD96D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD9660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD9650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD9A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD9780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD9FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD9710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD98A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD98F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD9820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BDB040 NtSuspendThread,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD95F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD99D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BDAD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD9520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD9560 NtWriteFile,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD9950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD9A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD9A20 NtResumeThread,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD9610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD9A10 NtQuerySection,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD9A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD9670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BDA3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD97A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD9730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BDA710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD9B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD9770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BDA770 NtOpenThread,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD9760 NtOpenProcess,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_00739D50 NtCreateFile,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_00739E00 NtReadFile,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_00739E80 NtClose,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_00739F30 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_00739D4C NtCreateFile,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_00739DFD NtReadFile,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_00739E7A NtClose,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_00739F2B NtAllocateVirtualMemory,

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe

Code function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 0_2_00404853
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 0_2_00406131
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 0_2_73CA1A98
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_0041D82F
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00401030
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_0041D1F9
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_0041D442
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_0041DDD3
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00402D87
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00402D90
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00409E2B
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00409E30
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_0041DFE7
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00402FB0
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A820A8
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009CB090
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E20A0
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A71002
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009BF900
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009D4120
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A822AE
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009EEBB0
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A7DBD2
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A82B28
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C841F
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E2581
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009CD5E0
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A82D07
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009B0D20
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A81D55
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A82EF7
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009D6E30
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A81FF1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BAB090
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA841F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C51002
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC2581
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BAD5E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C61D55
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B90D20
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BB4120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B9F900
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BB6E30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BCEBB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_0073D1F9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_00722D90
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_00722D87
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_00729E30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_00729E2B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_0073DFE7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_00722FB0

Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 04B9B150 appears 32 times
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: String function: 009BB150 appears 35 times

Source: 5SXTKXCnqS.exe, 00000000.00000003.236258126.0000000009BBF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 5SXTKXCnqS.exe
Source: 5SXTKXCnqS.exe, 00000002.00000002.315714674.0000000002A80000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemsdt.exej% vs 5SXTKXCnqS.exe
Source: 5SXTKXCnqS.exe, 00000002.00000002.315316837.0000000000C3F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 5SXTKXCnqS.exe

Source: 5SXTKXCnqS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000002.00000002.314505627.00000000008D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.314505627.00000000008D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.496732172.0000000000720000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.496732172.0000000000720000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000001.237002642.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000001.237002642.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.499467789.00000000047C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.499467789.00000000047C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.314179672.00000000008A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.314179672.00000000008A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.313248208.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.313248208.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.499102168.0000000004680000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.499102168.0000000004680000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.240364615.0000000002170000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.240364615.0000000002170000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.5SXTKXCnqS.exe.2170000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.5SXTKXCnqS.exe.2170000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.5SXTKXCnqS.exe.2170000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.5SXTKXCnqS.exe.2170000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.1.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.1.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/4@2/2

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe

Code function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe

Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_01

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe

File created: C:\Users\user\AppData\Local\Temp\nsaC26C.tmp

Jump to behavior

Source: 5SXTKXCnqS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 5SXTKXCnqS.exe	Virustotal: Detection: 30%
Source: 5SXTKXCnqS.exe	ReversingLabs: Detection: 29%

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe

File read: C:\Users\user\Desktop\5SXTKXCnqS.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\5SXTKXCnqS.exe 'C:\Users\user\Desktop\5SXTKXCnqS.exe'
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Process created: C:\Users\user\Desktop\5SXTKXCnqS.exe 'C:\Users\user\Desktop\5SXTKXCnqS.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\5SXTKXCnqS.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Process created: C:\Users\user\Desktop\5SXTKXCnqS.exe 'C:\Users\user\Desktop\5SXTKXCnqS.exe'
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\5SXTKXCnqS.exe'

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.288397745.0000000006FE0000.00000002.00000001.sdmp
Source:	Binary string: msdt.pdbGCTL source: 5SXTKXCnqS.exe, 00000002.00000002.315714674.0000000002A80000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: 5SXTKXCnqS.exe, 00000000.00000003.236649402.0000000009AA0000.00000004.00000001.sdmp, 5SXTKXCnqS.exe, 00000002.00000003.237181560.0000000000660000.00000004.00000001.sdmp, msdt.exe, 0000000E.00000002.500150489.0000000004C8F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 5SXTKXCnqS.exe, msdt.exe
Source:	Binary string: msdt.pdb source: 5SXTKXCnqS.exe, 00000002.00000002.315714674.0000000002A80000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.288397745.0000000006FE0000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe

Unpacked PE file: 2.2.5SXTKXCnqS.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe

Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 0_2_73CA2F60 push eax; ret
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_0041D82F push dword ptr [3253D521h]; ret
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00417A8C push eax; retf
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00407B24 push ss; retf
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00407CB2 push edx; retf
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_0041CEF2 push eax; ret
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_0041CEFB push eax; ret
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_004176A2 pushfd ; retf
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_0041CEA5 push eax; ret
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_004176BA push ds; ret
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_0041CF5C push eax; ret
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A0D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BED0D1 push ecx; ret
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_00737A8C push eax; retf
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_00727B24 push ss; retf
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_00727CB2 push edx; retf
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_0073DD8E push dword ptr [3253D521h]; ret
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_0073CEF2 push eax; ret
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_0073CEFB push eax; ret
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_007376BA push ds; ret
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_007376A2 pushfd ; retf
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_0073CEA5 push eax; ret
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_0073CF5C push eax; ret

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe

File created: C:\Users\user\AppData\Local\Temp\nsaC26E.tmp\System.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xE2

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 00000000007298E4 second address: 00000000007298EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 0000000000729B4E second address: 0000000000729B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe

Code function: 2_2_00409A80 rdtsc

Source: C:\Windows\explorer.exe TID: 1780

Thread sleep time: -38000s >= -30000s

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 0_2_00405E61 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 0_2_0040263E FindFirstFileA,

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	File opened: C:\Users\user\AppData\Local\Temp\wkxohdeyqvvyr
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	File opened: C:\Users\user\AppData\Local\Temp\02vqprgl0atfidc
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	File opened: C:\Users\user
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	File opened: C:\Users\user\AppData\Local\Temp\nsaC26D.tmp
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	File opened: C:\Users\user\Desktop\5SXTKXCnqS.exe
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	File opened: C:\Users\user\Desktop\desktop.ini

Source: explorer.exe, 00000003.00000000.261160747.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000003.00000000.269032429.000000000DC20000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.260495097.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000003.00000000.261160747.000000000891C000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.245467885.0000000003767000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000003.00000000.284504790.00000000053A0000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oft.Mic
Source: explorer.exe, 00000003.00000000.274452348.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000003.00000000.261865625.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000003.00000000.253870774.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000003.00000000.260495097.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.260495097.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.261865625.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 00000003.00000000.260495097.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\msdt.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe

Code function: 2_2_00409A80 rdtsc

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe

Code function: 2_2_0040ACC0 LdrLoadDll,

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe

Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009B9080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009EF0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009EF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009EF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A33884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A33884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F90AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A4B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A4B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A4B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A4B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A4B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A4B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009B58EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A37016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A37016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A37016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009CB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009CB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009CB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009CB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A84015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A84015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009D0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009D0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A72073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A81074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A369A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E2990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009EA185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A351BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A351BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A351BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A351BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009DC182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A441E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009BB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009BB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009BB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009B9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009B9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009B9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009D4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009D4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009D4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009D4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009D4120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009DB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009DB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009BB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009BB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009BC962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009ED294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009ED294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009CAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009CAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009EFAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009B52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009B52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009B52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009B52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009B52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E2ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E2AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009D3A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009B5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009B5210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009B5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009B5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009BAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009BAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C8A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A6B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A6B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A88A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009B9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009B9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009B9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009B9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A7EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A44257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E2397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A85BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009EB390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A6D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A7138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A353CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A353CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009DDBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A7131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009BF358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009BDB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A88B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009BDB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A36CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A36CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A36CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A714FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A88CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A8740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A8740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A8740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A36C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A36C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A36C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A36C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009EBC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009EA44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009D746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A4C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A4C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A805AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A805AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009EFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009EFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009B2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009B2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009B2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009B2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009B2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A7FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A7FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A7FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A7FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A68DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A36DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A36DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A36DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A36DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A36DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A36DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009CD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009CD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A3A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A88D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009BAD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009D7D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F3D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A33540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009DC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009DC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A346A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A80EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A80EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A80EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A4FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F8EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A6FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E16E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A88ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C76E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009EA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009EA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A6FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009BC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009BC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009BC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009E8E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A71608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009BE620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009DAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009DAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009DAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009DAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009DAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009C8794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A37794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A37794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_00A37794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Code function: 2_2_009F37F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BCF0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BCF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BCF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C68CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD90AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C2B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C2B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C2B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C2B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C2B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C2B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C16CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C16CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C16CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B99080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C514FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C13884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C13884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BAB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BAB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BAB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BAB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BCBC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C2C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C2C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C61074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C52073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C6740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C6740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C6740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C16C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C16C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C16C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C16C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C64015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C64015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BB746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C17016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C17016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C17016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BB0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BB0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BCA44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BCFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BCFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C241E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC2990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B92D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B92D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B92D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B92D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B92D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C48DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BCA185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BBC182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B9B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B9B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B9B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BAD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BAD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C169A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C151BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C151BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C151BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C151BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C13540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B9AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BB4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BB4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BB4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BB4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BB4120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B99100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B99100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B99100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B9B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B9B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BBC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BBC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B9C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BB7D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C68D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C1A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD3D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BBB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BBB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C4FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BAAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BAAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BCFAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C68ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B952A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B952A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B952A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B952A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B952A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BCD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BCD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C2FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA76E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC2AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC16E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C60EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C60EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C60EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C146A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC2ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD8EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C24257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B9E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BCA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BCA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C4B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C4B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C68A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BB3A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B9AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B9AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA8A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B9C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B9C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B9C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC8E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BBAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BBAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BBAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BBAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BBAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B99240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B99240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B99240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B99240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C4FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C153CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C153CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC2397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BCB390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA8794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BA1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C4D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BD37F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C5138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C17794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C17794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C17794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C65BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BCE730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B94F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B94F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C68B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C68F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BBF716 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BCA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BCA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BC3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C6070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C6070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C2FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C2FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B9DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BAFF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04C5131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B9F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04B9DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 14_2_04BAEF40 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe

Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 184.168.131.241 80
Source: C:\Windows\explorer.exe	Domain query: www.updatesz.com
Source: C:\Windows\explorer.exe	Network Connect: 184.154.132.108 80
Source: C:\Windows\explorer.exe	Domain query: www.centerstageacademyaz.com

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Section loaded: unknown target: C:\Users\user\Desktop\5SXTKXCnqS.exe protection: execute and read and write
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Thread register set: target process: 3472
Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Thread register set: target process: 3472
Source: C:\Windows\SysWOW64\msdt.exe	Thread register set: target process: 3472

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe

Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: 10F0000

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe	Process created: C:\Users\user\Desktop\5SXTKXCnqS.exe 'C:\Users\user\Desktop\5SXTKXCnqS.exe'
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\5SXTKXCnqS.exe'

Source: explorer.exe, 00000003.00000000.287412279.0000000005EA0000.00000004.00000001.sdmp, msdt.exe, 0000000E.00000002.499019066.0000000003270000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.274620505.0000000001640000.00000002.00000001.sdmp, msdt.exe, 0000000E.00000002.499019066.0000000003270000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.274620505.0000000001640000.00000002.00000001.sdmp, msdt.exe, 0000000E.00000002.499019066.0000000003270000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000003.00000000.274367056.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000003.00000000.274620505.0000000001640000.00000002.00000001.sdmp, msdt.exe, 0000000E.00000002.499019066.0000000003270000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000003.00000000.274620505.0000000001640000.00000002.00000001.sdmp, msdt.exe, 0000000E.00000002.499019066.0000000003270000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\5SXTKXCnqS.exe

Code function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.314505627.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.496732172.0000000000720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000001.237002642.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.499467789.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.314179672.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.313248208.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.499102168.0000000004680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.240364615.0000000002170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.5SXTKXCnqS.exe.2170000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5SXTKXCnqS.exe.2170000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.314505627.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.496732172.0000000000720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000001.237002642.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.499467789.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.314179672.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.313248208.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.499102168.0000000004680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.240364615.0000000002170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.5SXTKXCnqS.exe.2170000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5SXTKXCnqS.exe.2170000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection512	Rootkit1	Credential API Hooking1	Security Software Discovery131	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion3	Input Capture1	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection512	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Archive Collected Data1	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Remote System Discovery1	Distributed Component Object Model	Clipboard Data1	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information3	LSA Secrets	File and Directory Discovery3	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing11	Cached Domain Credentials	System Information Discovery13	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
5SXTKXCnqS.exe	30%	Virustotal		Browse
5SXTKXCnqS.exe	30%	ReversingLabs	Win32.Spyware.Noon
5SXTKXCnqS.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsaC26E.tmp\System.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\nsaC26E.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.5SXTKXCnqS.exe.2170000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
2.2.5SXTKXCnqS.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.2.5SXTKXCnqS.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
14.2.msdt.exe.b552b0.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
2.0.5SXTKXCnqS.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
2.1.5SXTKXCnqS.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
14.2.msdt.exe.509f834.5.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.0.5SXTKXCnqS.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://centerstage.academy/hlx/?wVSH=B58lx/xaXAfqMrblDg0CPLD4IpEHx1MuvfXEetjmXTR5BJPCAvCKa/uMIPwGmDq	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.centerstageacademyaz.com/hlx/?wVSH=B58lx/xaXAfqMrblDg0CPLD4IpEHx1MuvfXEetjmXTR5BJPCAvCKa/uMIPwGmDqbiG+v&i0D=adKPlr	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
www.updatesz.com/hlx/	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.updatesz.com/hlx/?wVSH=1q0nvnuESuCKkKkbLudmlC1kRF8eq+dUTLEJwYL638OOvnGjESXIW61pqUjqlD08HWSv&i0D=adKPlr	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
centerstageacademyaz.com	184.168.131.241	true	true	unknown
updatesz.com	184.154.132.108	true	true	unknown
www.updatesz.com	unknown	unknown	true	unknown
www.centerstageacademyaz.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.centerstageacademyaz.com/hlx/?wVSH=B58lx/xaXAfqMrblDg0CPLD4IpEHx1MuvfXEetjmXTR5BJPCAvCKa/uMIPwGmDqbiG+v&i0D=adKPlr	true	Avira URL Cloud: safe	unknown
www.updatesz.com/hlx/	true	Avira URL Cloud: safe	low
http://www.updatesz.com/hlx/?wVSH=1q0nvnuESuCKkKkbLudmlC1kRF8eq+dUTLEJwYL638OOvnGjESXIW61pqUjqlD08HWSv&i0D=adKPlr	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	5SXTKXCnqS.exe	false		high
http://www.goodfont.co.kr	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://centerstage.academy/hlx/?wVSH=B58lx/xaXAfqMrblDg0CPLD4IpEHx1MuvfXEetjmXTR5BJPCAvCKa/uMIPwGmDq	msdt.exe, 0000000E.00000002.501612375.000000000558F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false		high
http://nsis.sf.net/NSIS_Error	5SXTKXCnqS.exe	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
184.168.131.241	centerstageacademyaz.com	United States		26496	AS-26496-GO-DADDY-COM-LLCUS	true
184.154.132.108	updatesz.com	United States		32475	SINGLEHOP-LLCUS	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	432719
Start date:	10.06.2021
Start time:	17:41:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 0s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	5SXTKXCnqS (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/4@2/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 23.1% (good quality ratio 20.8%) Quality average: 75.8% Quality standard deviation: 31.7%
HCA Information:	Successful, ratio: 86% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.43.193.48, 92.122.145.220, 52.147.198.201, 184.30.24.56, 20.82.209.183, 51.103.5.159, 93.184.221.240, 13.107.4.50, 92.122.213.247, 92.122.213.194, 20.54.26.129, 20.82.210.154 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, Edge-Prod-FRAr4b.env.au.au-msedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, wu.ec.azureedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, afdap.au.au-msedge.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, au.au-msedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, au.c-0001.c-msedge.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
184.168.131.241	AWB00028487364 -000487449287.doc	Get hash	malicious	Browse	www.centerstageacademyaz.com/hlx/?5jSp=B58lx/xfXHfuM7XpBg0CPLD4IpEHx1MuvfPUCu/nTzR4B4jEH/TGM7WOLp8Aty+Q3gKYZw==&JR-laV=zN90U
	#U00a0Import Custom Duty invoice & its clearance documents.exe	Get hash	malicious	Browse	www.mnanoramaonline.com/dp3a/?6l6x=JpPDbdpPqJah&F4ClVX_=HMSedmBm6/hIWbSmMxUxYZbRrtDTwFsk+TyYRjGVNzdErelZVoFwy82MvW0W4Pxo5ExE
	Payment receipt MT103.exe	Get hash	malicious	Browse	www.2006almadenrd.com/n86i/?3fDpH=EncZcG68c0UFvrfaep8p5kHr59rKeBqDHDmJoTlHDlH5Q19q6THcE1BV1jQP2/4tmveZ&Vjo=1bT0vz7
	New Order.exe	Get hash	malicious	Browse	www.flockuplabs.com/uqf5/?mVS=CH5D6h5PGn4ts&3fCDL=kpO7L1Lkp8iY+ON3mW6Oq8CK0aWMRalGagQzJa0PwjziroypQJ68geE/ArNV1zcwD6YY
	NEW ORDER ZIP.exe	Get hash	malicious	Browse	www.cohorsetrails.com/j7e/?iP_T-V=s4TxBF2&F8EdvhY=0uFKBmvmOY3N1cR6tfDjvpZ4XCwo5tCp3URJWx4vIEcYZHH/ZYklCf5hgzXfIPGP0WLm
	oVA5JBAJutcna88.exe	Get hash	malicious	Browse	www.covid-19-411.com/c6ss/?P6AT72s=DB71Bym9Rr14TfwtieeaSq+XP6MPPP3k6OJ3eYsEhcCNhSwkByfhm8SfoYhSpsTVm4Za&j6A4qv=gJBt3
	qXDtb88hht.exe	Get hash	malicious	Browse	www.thriveglucose.com/p2io/?Z8E=bgEje2qoIMshrcRflwWQjpUULYzLZlDcA+elzyDX4pz+rZVwSlMQ2+HN9bOaKrviR/d6&b0GDi6=Q6Ahtfox
	a8eC6O6okf.exe	Get hash	malicious	Browse	www.oceancollaborative.com/bp3i/?PF=5jiDaNi8a4RT0&V0Gp=+tA82deiMnBv5x6tQvXabF4qHjy6FJLdLGXe/FevxPH8etKnEP6uMBOxOeXG6ZsHsCfG
	Telex_Payment.exe	Get hash	malicious	Browse	www.avaatraelegant.com/m3rc/?hTk8tpm=TSQTGbGl+UafldaDY7iOrPnVdHYt9Ypfw/QiU1mtcNJ1KwINQbFG4EVzsaDm0ZQusGTd&I4=5jxX5BaX4hy8-j8
	QyKNw7NioL.exe	Get hash	malicious	Browse	www.thriveglucose.com/p2io/?m4=PditjTvx4PwX_x-&aBd=bgEje2qoIMshrcRflwWQjpUULYzLZlDcA+elzyDX4pz+rZVwSlMQ2+HN9YuKFK/aPa09
	Payment_Advice.exe	Get hash	malicious	Browse	www.ingenious.care/uqf5/?9rw=IyvMBxqM8mznciPJtkomKlfF/kq/6zAZ/NulsdYJ5cntVs/S9fIvdvtMsAQ76USE273s&s6=bPYXfd3Xq0VHDp
	SOA #093732.exe	Get hash	malicious	Browse	www.xn--arepasantabrbara-pmb.com/hme1/?jPw=2SPw7LQlaa7cti3Mn2rz6TCjd7lU8jHnPITUh2R4n2dBA+x2SVgAgss/958kYo9ATjis&y2JhS=6lr41hZpgNXtF
	rHk5KU7bfT.exe	Get hash	malicious	Browse	www.rvvikings.com/dxe/?TfTl=jHjQ1sEHwNXw4n+A/8fpKnaO6SpchAkuZ+GgFHi7AN8kb2XA0i8OmoFepGcQzHHYqc9c&7nGt5=h6Altfix
	Order.exe	Get hash	malicious	Browse	www.complexscale.net/jogt/?w6ATB0=mM0Ck4zU/d9hG5lVEWeH7uQPwyvlCbjgstqvdurAh1ZdTH4Yqc2sgGmD0X7Q/SemRdxv&Jxox=Er6tXhMxl
	VubYcOdGjQ.exe	Get hash	malicious	Browse	www.theguyscave.com/k8n/?wR-T-=ETYdeRC&5jn=ffRSpgj0URUgPhDkzfA3YdlDQQz5pJJRybkyQxcySljT84fGDbAnWSnhJv/zp2N19SZb
	Payment_Advice.exe	Get hash	malicious	Browse	www.getthistle.com/q4kr/?w2MLb=6lux&QtRl=Jt1JO2t971959LrdDM/EJ1cvA97Pwm/HDqPg7v3P69I8XU+CUZlUHoU2RjaRLLQwrinB
	Neworder.exe	Get hash	malicious	Browse	www.kanitanaillounge.com/jogt/?PlQ8j=jKXq1ZQHcPBM/dFmsG96Rrq7SiC5kuIPSSiD8Dd2ip+Nb1yUpyUL4OnIzbOoJzgaBXqf&2db=g0G0iLxxPHIT
	Request for Price W912D2-19-Q-0004.exe	Get hash	malicious	Browse	www.blackwomencamp.net/egem/?2dCHQ=s0ILlWrMQzsGp3p1RmAY3qUukEAkmJAYYPkleJQvQBxBfoOdmLxTHansmvlw5WkCayf3&7nDtA=f2JDOtyx2xtDzteP
	Ack0527073465.exe	Get hash	malicious	Browse	www.cohenasssets.net/5yue/?3fJx=KYutaNEAIvarQ918ErbJ+YDUvzOLVJKXYG8C/UFRJ6ixESNgaf8eKtytrZ1l6vvKrhJX&2dC4V=P48T-VYXSzrLax
	Product_Samples.exe	Get hash	malicious	Browse	www.drlisatharler.com/m3rc/?j48=S9zQIxIAxlHw3AhG2oij4tyqbwYeiyo/TLihsL6vT2Jmjs5l/Hr2XRCnRYAhYdjvl6NmGr7rCg==&vRC=5jdD624HmJID8lJP

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-26496-GO-DADDY-COM-LLCUS	AWB00028487364 -000487449287.doc	Get hash	malicious	Browse	184.168.131.241
	619wGDCTZA.exe	Get hash	malicious	Browse	23.229.215.137
	Documents_13134976_1377491379.xlsb	Get hash	malicious	Browse	107.180.50.232
	#U00a0Import Custom Duty invoice & its clearance documents.exe	Get hash	malicious	Browse	184.168.131.241
	Payment receipt MT103.exe	Get hash	malicious	Browse	184.168.131.241
	research-531942606.xlsb	Get hash	malicious	Browse	72.167.211.83
	research-121105165.xlsb	Get hash	malicious	Browse	72.167.211.83
	research-76934760.xlsb	Get hash	malicious	Browse	72.167.211.83
	research-1960540844.xlsx	Get hash	malicious	Browse	72.167.211.83
	research-1110827633.xlsb	Get hash	malicious	Browse	72.167.211.83
	DocumentScanCopy2021_pdf.exe	Get hash	malicious	Browse	148.66.138.158
	New Order.exe	Get hash	malicious	Browse	184.168.131.241
	DocumentScanCopy202_pdf.exe	Get hash	malicious	Browse	148.66.138.158
	NEW ORDER ZIP.exe	Get hash	malicious	Browse	184.168.131.241
	oVA5JBAJutcna88.exe	Get hash	malicious	Browse	184.168.131.241
	qXDtb88hht.exe	Get hash	malicious	Browse	184.168.131.241
	a8eC6O6okf.exe	Get hash	malicious	Browse	184.168.131.241
	Telex_Payment.exe	Get hash	malicious	Browse	184.168.131.241
	QyKNw7NioL.exe	Get hash	malicious	Browse	184.168.131.241
	Payment_Advice.exe	Get hash	malicious	Browse	184.168.131.241
SINGLEHOP-LLCUS	Payment slip.exe	Get hash	malicious	Browse	198.20.110.232
	PO4358492133-REF30.doc	Get hash	malicious	Browse	184.154.190.82
	1092991(JB#082).exe	Get hash	malicious	Browse	198.20.110.232
	Qgc2Nreer3.exe	Get hash	malicious	Browse	198.143.164.252
	OoFyX2nTbB.exe	Get hash	malicious	Browse	184.154.132.108
	Payment.html	Get hash	malicious	Browse	63.251.14.14
	proforma invoice.exe	Get hash	malicious	Browse	198.20.110.232
	$RAULIU9.exe	Get hash	malicious	Browse	172.96.187.217
	BN45.vbs	Get hash	malicious	Browse	198.20.110.126
	LMNF434.vbs	Get hash	malicious	Browse	172.96.187.2
	SF65G55121E0FE25552.vbs	Get hash	malicious	Browse	172.96.187.2
	551f47ac_by_Libranalysis.xlsm	Get hash	malicious	Browse	184.154.83.252
	export of bill 896621.xlsm	Get hash	malicious	Browse	184.154.83.252
	scan of invoice 4366307.xlsm	Get hash	malicious	Browse	184.154.83.252
	FY9Z5TR6rr.exe	Get hash	malicious	Browse	198.20.110.126
	cf9f3c05-00c9-4008-846e-7d9a88232305.exe	Get hash	malicious	Browse	184.154.27.242
	Spetrum-invoice-95144511.vbs	Get hash	malicious	Browse	172.96.187.2
	4GGwmv0AJm.exe	Get hash	malicious	Browse	173.236.127.29
	DX35.vbs	Get hash	malicious	Browse	172.96.186.134
	Y8G0OTN7.htm	Get hash	malicious	Browse	173.236.35.188

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nsaC26E.tmp\System.dll	i6xFULh8J5.exe	Get hash	malicious	Browse
	AWB00028487364 -000487449287.doc	Get hash	malicious	Browse
	090049000009000.exe	Get hash	malicious	Browse
	dYy3yfSkwY.exe	Get hash	malicious	Browse
	PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsx	Get hash	malicious	Browse
	Purchase Order Price List 061021.xlsx	Get hash	malicious	Browse
	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Get hash	malicious	Browse
	UGGJ4NnzFz.exe	Get hash	malicious	Browse
	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Get hash	malicious	Browse
	3arZKnr21W.exe	Get hash	malicious	Browse
	Shipping receipt.exe	Get hash	malicious	Browse
	New Order TL273723734533.pdf.exe	Get hash	malicious	Browse
	YZ8OvkljWm.exe	Get hash	malicious	Browse
	U03c2doc.exe	Get hash	malicious	Browse
	QUOTE061021.exe	Get hash	malicious	Browse
	PAYMENT CONFIRMATION.exe	Get hash	malicious	Browse
	PO187439.exe	Get hash	malicious	Browse
	090009000000090.exe	Get hash	malicious	Browse
	NEWORDERLIST.exe	Get hash	malicious	Browse
	00404000004.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\02vqprgl0atfidc Download File
Process:	C:\Users\user\Desktop\5SXTKXCnqS.exe
File Type:	data
Category:	dropped
Size (bytes):	185856
Entropy (8bit):	7.998940517618347
Encrypted:	true
SSDEEP:	3072:sGXmBfAYT/4RnQPu5PBTgJApkOdFuKxnZMfSWVgVBratxWRHkFIhFQ:sbVZanguBdgJ2JdF/ZMqNbatxWREr
MD5:	378DDC5CCA93C62AF29C52E3A139BB7A
SHA1:	04C1B1F9C5AF921764E29E654D2D87E80D47C470
SHA-256:	7AFCBE7E43FFCFC7268EFAF45629E6B6ED931145C9E5E820D60C5C9B50B0A1C5
SHA-512:	977D9A3F41B3AE1D5ADC32926F522BDAB3A77A5472C0A47E63565D8CF6EAEC98C94A3776EA21538E4AFB122F1046F9BB916375B5B632889FFC8ED3430BB0360A
Malicious:	false
Reputation:	low
Preview:	)..\.L...b~zy....R...u,....B.pp..pb...u<.-V...1....>o.V.Pw....k..:...h.n.Y@M....T..?1.._2....$H........E..G......S.j....S...;..t..,...kY..t..a&...w=..("'...G..6[=..V$...YR..&T..JN..T.i...F...%....a.........H......F...&.r.,.....x.K..]C......v..N...V..GC.&D...Z9)..39t.i0.....+j..I..+...)._.$.~1.+7.H@.W..N.E,z..1.....lQ.....'7...)I&.1....'I\.<..!..5......Q*..C...}.=..q#q.Rf.Tf.?h.SD...R.K..Q[1..n.b.V1.#.Y......6..t.6..Y......8.+7.}.~...K_..B.J........\|.R..Q...:.J!....q...{..[F...;...i...e...}...+[.S.....IV?9..)F.....Q..IT.j.%zh.u:.......L(..R.).6"..Dd......-.y.lC.bZ.. ......~.......T..'...}.m.UC.[6...Z ....!Z#...a..........u#.....jp..OM.p.-XM.N.r.x.D...c_M..{;.....#.N.&8.a.3B>.Ht......}m5....K.........p..Q...R..{Z$.Y..qE...#..c.sZ..;.b.O.u. ........U+....6^.D....MQ.#.%..<..@.....v.n.......+&.t.r.3..[.af...R=UL.....6.v..c.v.......m.E.a@c.R:...hJ.T....4w.<.od2\....z.,..\..{...V..:~r.....D.8.q..`V.19....]=...a)U`..'9..K....n!qN.E#.E.w...2i....q.N.9.).

C:\Users\user\AppData\Local\Temp\nsaC26D.tmp Download File
Process:	C:\Users\user\Desktop\5SXTKXCnqS.exe
File Type:	data
Category:	dropped
Size (bytes):	278770
Entropy (8bit):	7.448079444634977
Encrypted:	false
SSDEEP:	6144:OtbVZanguBdgJ2JdF/ZMqNbatxWREwXeQumQ4T3t:qINkc7RTVXeQued
MD5:	C4CB16A32F9F83E70EAE2EDB6FD01FF3
SHA1:	9E86174F2952237E5170B532A69BC080FCD59765
SHA-256:	C8FE712473694B00B45F2AC8C83E57C0527751C6BA118E2A95F3F5B699B7EE57
SHA-512:	8D9FC4DB04C2538B792F720A183A337043F77A846B7A71F3D66405C15F975D98CFF7E63ADDD2CB677454765A7D3C2295E522457DB6A479F7F84753C3F4E119CF
Malicious:	false
Reputation:	low
Preview:	._......,.......................xH.......^......y_..........................................................................................................................................................................................................................................J...............#...j...............................................................................................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsaC26E.tmp\System.dll Download File
Process:	C:\Users\user\Desktop\5SXTKXCnqS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.855045165595541
Encrypted:	false
SSDEEP:	192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
MD5:	FCCFF8CB7A1067E23FD2E2B63971A8E1
SHA1:	30E2A9E137C1223A78A0F7B0BF96A1C361976D91
SHA-256:	6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
SHA-512:	F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: i6xFULh8J5.exe, Detection: malicious, Browse Filename: AWB00028487364 -000487449287.doc, Detection: malicious, Browse Filename: 090049000009000.exe, Detection: malicious, Browse Filename: dYy3yfSkwY.exe, Detection: malicious, Browse Filename: PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsx, Detection: malicious, Browse Filename: Purchase Order Price List 061021.xlsx, Detection: malicious, Browse Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Detection: malicious, Browse Filename: UGGJ4NnzFz.exe, Detection: malicious, Browse Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Detection: malicious, Browse Filename: 3arZKnr21W.exe, Detection: malicious, Browse Filename: Shipping receipt.exe, Detection: malicious, Browse Filename: New Order TL273723734533.pdf.exe, Detection: malicious, Browse Filename: YZ8OvkljWm.exe, Detection: malicious, Browse Filename: U03c2doc.exe, Detection: malicious, Browse Filename: QUOTE061021.exe, Detection: malicious, Browse Filename: PAYMENT CONFIRMATION.exe, Detection: malicious, Browse Filename: PO187439.exe, Detection: malicious, Browse Filename: 090009000000090.exe, Detection: malicious, Browse Filename: NEWORDERLIST.exe, Detection: malicious, Browse Filename: 00404000004.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\wkxohdeyqvvyr Download File
Process:	C:\Users\user\Desktop\5SXTKXCnqS.exe
File Type:	data
Category:	dropped
Size (bytes):	56657
Entropy (8bit):	4.975811547605918
Encrypted:	false
SSDEEP:	1536:5usA23WeP0CJgK679CbFutzrcnrz42c9nvpVid:012meP0Ikuwtvcz4pBWd
MD5:	33CC7C93858999843488542395770601
SHA1:	D57862368225F9240C279B0C1C1FA9BA7EB4E8CC
SHA-256:	F0738E409A7008B653A4E5C86D90CC73021988D59CAE648772305C41D6668BB1
SHA-512:	23F7DA5A861CAB4D0F06174BD78978F325B1D19DCECA6ED7A520B7957529B7D1A3EC1CC838EC140C426B0C64784B744AF6E3A4BB4C4514FE30A40E89CDEFFCAF
Malicious:	false
Preview:	U............@...8.A.....B.....C...i.D...i.E...l.F.....G...=.H.....I.....J...e.K...i.L...l.M.....N...=.O.....P...=.Q.....R.....S...i.T...i.U.....V.....W...m.X...i.Y.....Z...\.[.....\.....]...i.^...i._...i.`.....a...\.b.....c.....d...\.e...I.f.....g.....h.....i...i.j...U.k.....l.....m...\.n...I.o.....p...i.q...i.r.....s...\.t...I.u...).v.....w...\.x...I.y.....z...\.{.....\|...!.}.....~...\.............................\...........%.....i.....i.....i...............................................\.............................i.....U.................\.................i.....i...........\...........)...........\.................\...........!...........\.............................\...........a.....i.....i.....i...............................................\.............................i.....U.................\.................i.....i...........\......

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.92465625934964
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	5SXTKXCnqS.exe
File size:	245650
MD5:	cb4947e5c78ada624d22c28ee9079871
SHA1:	eb2c2d329e9be0b3a74582a4fd9c257bc795a690
SHA256:	02230fb80db0fe0055730a0af8b3a0c66a578b2c315206053b80bae250c5561d
SHA512:	7582aed1984c65c550532ab4a97d6bc5bc45bfceeacdf329467b39667dbcaaa6a28175aa29fef30146e16cbdae903c5381b3d1ea47888f8d29b9f4119a581b26
SSDEEP:	3072:DQIURTXJ+McCmF7tC1eb4lhkULBwRLuJTqDW2CLd+d/Lpz3JAdFu4V65bRvSC5aL:Ds9cCmF5SnwvmLd+d/FcU4Y5bRvbRAaa
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\.........

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General
Entrypoint:	0x40323c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B1AE3C6 [Sat Dec 5 22:50:46 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	099c0646ea7282d232219f8807883be0

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409130h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B4h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [00423F58h], eax
call 00007F4F08FC0ABEh
mov dword ptr [00423EA4h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0041F458h
call dword ptr [00407158h]
push 004091B8h
push 004236A0h
call 00007F4F08FC0771h
call dword ptr [004070B0h]
mov edi, 00429000h
push eax
push edi
call 00007F4F08FC075Fh
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423EA0h], eax
mov eax, edi
jne 00007F4F08FBDEBCh
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007F4F08FC0252h
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007F4F08FBDF15h
cmp cl, 00000020h
jne 00007F4F08FBDEB8h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F4F08FBDEACh
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x9e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5a5a	0x5c00	False	0.660453464674	data	6.41769823686	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1190	0x1200	False	0.4453125	data	5.18162709925	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1af98	0x400	False	0.55859375	data	4.70902740305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x24000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x9e0	0xa00	False	0.45625	data	4.51012867721	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2c190	0x2e8	data	English	United States
RT_DIALOG	0x2c478	0x100	data	English	United States
RT_DIALOG	0x2c578	0x11c	data	English	United States
RT_DIALOG	0x2c698	0x60	data	English	United States
RT_GROUP_ICON	0x2c6f8	0x14	data	English	United States
RT_MANIFEST	0x2c710	0x2cc	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 17:43:43.751054049 CEST	49743	80	192.168.2.5	184.168.131.241
Jun 10, 2021 17:43:43.946315050 CEST	80	49743	184.168.131.241	192.168.2.5
Jun 10, 2021 17:43:43.946464062 CEST	49743	80	192.168.2.5	184.168.131.241
Jun 10, 2021 17:43:43.946809053 CEST	49743	80	192.168.2.5	184.168.131.241
Jun 10, 2021 17:43:44.140175104 CEST	80	49743	184.168.131.241	192.168.2.5
Jun 10, 2021 17:43:44.176570892 CEST	80	49743	184.168.131.241	192.168.2.5
Jun 10, 2021 17:43:44.176592112 CEST	80	49743	184.168.131.241	192.168.2.5
Jun 10, 2021 17:43:44.176776886 CEST	49743	80	192.168.2.5	184.168.131.241
Jun 10, 2021 17:43:44.176923990 CEST	49743	80	192.168.2.5	184.168.131.241
Jun 10, 2021 17:43:44.370253086 CEST	80	49743	184.168.131.241	192.168.2.5
Jun 10, 2021 17:44:22.608812094 CEST	49747	80	192.168.2.5	184.154.132.108
Jun 10, 2021 17:44:22.757802010 CEST	80	49747	184.154.132.108	192.168.2.5
Jun 10, 2021 17:44:22.757914066 CEST	49747	80	192.168.2.5	184.154.132.108
Jun 10, 2021 17:44:22.758177042 CEST	49747	80	192.168.2.5	184.154.132.108
Jun 10, 2021 17:44:22.907177925 CEST	80	49747	184.154.132.108	192.168.2.5
Jun 10, 2021 17:44:23.259699106 CEST	49747	80	192.168.2.5	184.154.132.108
Jun 10, 2021 17:44:23.449140072 CEST	80	49747	184.154.132.108	192.168.2.5
Jun 10, 2021 17:44:25.261095047 CEST	80	49747	184.154.132.108	192.168.2.5
Jun 10, 2021 17:44:25.261128902 CEST	80	49747	184.154.132.108	192.168.2.5
Jun 10, 2021 17:44:25.261281013 CEST	49747	80	192.168.2.5	184.154.132.108
Jun 10, 2021 17:44:25.261409044 CEST	49747	80	192.168.2.5	184.154.132.108

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 17:42:18.492783070 CEST	59596	53	192.168.2.5	8.8.8.8
Jun 10, 2021 17:42:18.544855118 CEST	53	59596	8.8.8.8	192.168.2.5
Jun 10, 2021 17:42:19.335189104 CEST	65296	53	192.168.2.5	8.8.8.8
Jun 10, 2021 17:42:19.396466017 CEST	53	65296	8.8.8.8	192.168.2.5
Jun 10, 2021 17:42:19.512371063 CEST	63183	53	192.168.2.5	8.8.8.8
Jun 10, 2021 17:42:19.569057941 CEST	53	63183	8.8.8.8	192.168.2.5
Jun 10, 2021 17:42:20.717751026 CEST	60151	53	192.168.2.5	8.8.8.8
Jun 10, 2021 17:42:20.769731045 CEST	53	60151	8.8.8.8	192.168.2.5
Jun 10, 2021 17:42:21.641571045 CEST	56969	53	192.168.2.5	8.8.8.8
Jun 10, 2021 17:42:21.705450058 CEST	53	56969	8.8.8.8	192.168.2.5
Jun 10, 2021 17:42:22.500428915 CEST	55161	53	192.168.2.5	8.8.8.8
Jun 10, 2021 17:42:22.550810099 CEST	53	55161	8.8.8.8	192.168.2.5
Jun 10, 2021 17:42:23.543167114 CEST	54757	53	192.168.2.5	8.8.8.8
Jun 10, 2021 17:42:23.596529961 CEST	53	54757	8.8.8.8	192.168.2.5
Jun 10, 2021 17:42:24.383204937 CEST	49992	53	192.168.2.5	8.8.8.8
Jun 10, 2021 17:42:24.433361053 CEST	53	49992	8.8.8.8	192.168.2.5
Jun 10, 2021 17:42:25.341476917 CEST	60075	53	192.168.2.5	8.8.8.8
Jun 10, 2021 17:42:25.393908024 CEST	53	60075	8.8.8.8	192.168.2.5
Jun 10, 2021 17:42:26.172918081 CEST	55016	53	192.168.2.5	8.8.8.8
Jun 10, 2021 17:42:26.231343985 CEST	53	55016	8.8.8.8	192.168.2.5
Jun 10, 2021 17:42:27.103193998 CEST	64345	53	192.168.2.5	8.8.8.8
Jun 10, 2021 17:42:27.161875010 CEST	53	64345	8.8.8.8	192.168.2.5
Jun 10, 2021 17:42:42.658490896 CEST	57128	53	192.168.2.5	8.8.8.8
Jun 10, 2021 17:42:42.723411083 CEST	53	57128	8.8.8.8	192.168.2.5
Jun 10, 2021 17:42:51.591604948 CEST	54791	53	192.168.2.5	8.8.8.8
Jun 10, 2021 17:42:51.652081966 CEST	53	54791	8.8.8.8	192.168.2.5
Jun 10, 2021 17:43:13.782732010 CEST	50463	53	192.168.2.5	8.8.8.8
Jun 10, 2021 17:43:13.846009016 CEST	53	50463	8.8.8.8	192.168.2.5
Jun 10, 2021 17:43:14.053622007 CEST	50394	53	192.168.2.5	8.8.8.8
Jun 10, 2021 17:43:14.107042074 CEST	53	50394	8.8.8.8	192.168.2.5
Jun 10, 2021 17:43:14.219866991 CEST	58530	53	192.168.2.5	8.8.8.8
Jun 10, 2021 17:43:14.285789013 CEST	53	58530	8.8.8.8	192.168.2.5
Jun 10, 2021 17:43:34.773329973 CEST	53813	53	192.168.2.5	8.8.8.8
Jun 10, 2021 17:43:34.834525108 CEST	53	53813	8.8.8.8	192.168.2.5
Jun 10, 2021 17:43:43.679322004 CEST	63732	53	192.168.2.5	8.8.8.8
Jun 10, 2021 17:43:43.745172024 CEST	53	63732	8.8.8.8	192.168.2.5
Jun 10, 2021 17:43:47.743932962 CEST	57344	53	192.168.2.5	8.8.8.8
Jun 10, 2021 17:43:47.812141895 CEST	53	57344	8.8.8.8	192.168.2.5
Jun 10, 2021 17:44:13.907901049 CEST	54450	53	192.168.2.5	8.8.8.8
Jun 10, 2021 17:44:13.974658012 CEST	53	54450	8.8.8.8	192.168.2.5
Jun 10, 2021 17:44:15.050772905 CEST	59261	53	192.168.2.5	8.8.8.8
Jun 10, 2021 17:44:15.120481968 CEST	53	59261	8.8.8.8	192.168.2.5
Jun 10, 2021 17:44:22.509793997 CEST	57151	53	192.168.2.5	8.8.8.8
Jun 10, 2021 17:44:22.607316017 CEST	53	57151	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 10, 2021 17:43:43.679322004 CEST	192.168.2.5	8.8.8.8	0x8cf7	Standard query (0)	www.centerstageacademyaz.com	A (IP address)	IN (0x0001)
Jun 10, 2021 17:44:22.509793997 CEST	192.168.2.5	8.8.8.8	0x19c5	Standard query (0)	www.updatesz.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 10, 2021 17:43:43.745172024 CEST	8.8.8.8	192.168.2.5	0x8cf7	No error (0)	www.centerstageacademyaz.com	centerstageacademyaz.com		CNAME (Canonical name)	IN (0x0001)
Jun 10, 2021 17:43:43.745172024 CEST	8.8.8.8	192.168.2.5	0x8cf7	No error (0)	centerstageacademyaz.com		184.168.131.241	A (IP address)	IN (0x0001)
Jun 10, 2021 17:44:22.607316017 CEST	8.8.8.8	192.168.2.5	0x19c5	No error (0)	www.updatesz.com	updatesz.com		CNAME (Canonical name)	IN (0x0001)
Jun 10, 2021 17:44:22.607316017 CEST	8.8.8.8	192.168.2.5	0x19c5	No error (0)	updatesz.com		184.154.132.108	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.centerstageacademyaz.com

www.updatesz.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49743	184.168.131.241	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 10, 2021 17:43:43.946809053 CEST	3035	OUT	GET /hlx/?wVSH=B58lx/xaXAfqMrblDg0CPLD4IpEHx1MuvfXEetjmXTR5BJPCAvCKa/uMIPwGmDqbiG+v&i0D=adKPlr HTTP/1.1 Host: www.centerstageacademyaz.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 10, 2021 17:43:44.176570892 CEST	3036	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.16.1 Date: Thu, 10 Jun 2021 15:43:44 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Location: http://centerstage.academy/hlx/?wVSH=B58lx/xaXAfqMrblDg0CPLD4IpEHx1MuvfXEetjmXTR5BJPCAvCKa/uMIPwGmDqbiG+v&i0D=adKPlr Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49747	184.154.132.108	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 10, 2021 17:44:22.758177042 CEST	3088	OUT	GET /hlx/?wVSH=1q0nvnuESuCKkKkbLudmlC1kRF8eq+dUTLEJwYL638OOvnGjESXIW61pqUjqlD08HWSv&i0D=adKPlr HTTP/1.1 Host: www.updatesz.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 10, 2021 17:44:25.261095047 CEST	3089	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 10 Jun 2021 15:44:21 GMT Server: Apache/2.4.46 (cPanel) OpenSSL/1.1.1k mod_bwlimited/1.4 Phusion_Passenger/6.0.7 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://updatesz.com/hlx/?wVSH=1q0nvnuESuCKkKkbLudmlC1kRF8eq+dUTLEJwYL638OOvnGjESXIW61pqUjqlD08HWSv&i0D=adKPlr Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xE2
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xE2
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xE2
GetMessageA	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xE2

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: 5SXTKXCnqS.exe PID: 5828 Parent PID: 5720

General

Start time:	17:42:26
Start date:	10/06/2021
Path:	C:\Users\user\Desktop\5SXTKXCnqS.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\5SXTKXCnqS.exe'
Imagebase:	0x400000
File size:	245650 bytes
MD5 hash:	CB4947E5C78ADA624D22C28EE9079871
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.240364615.0000000002170000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.240364615.0000000002170000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.240364615.0000000002170000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: 5SXTKXCnqS.exe PID: 4328 Parent PID: 5828

General

Start time:	17:42:27
Start date:	10/06/2021
Path:	C:\Users\user\Desktop\5SXTKXCnqS.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\5SXTKXCnqS.exe'
Imagebase:	0x400000
File size:	245650 bytes
MD5 hash:	CB4947E5C78ADA624D22C28EE9079871
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.314505627.00000000008D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.314505627.00000000008D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.314505627.00000000008D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000001.237002642.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000001.237002642.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000001.237002642.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.314179672.00000000008A0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.314179672.00000000008A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.314179672.00000000008A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.313248208.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.313248208.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.313248208.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exe PID: 3472 Parent PID: 4328

General

Start time:	17:42:31
Start date:	10/06/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: msdt.exe PID: 4940 Parent PID: 3472

General

Start time:	17:43:03
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\msdt.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\msdt.exe
Imagebase:	0x10f0000
File size:	1508352 bytes
MD5 hash:	7F0C51DBA69B9DE5DDF6AA04CE3A69F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.496732172.0000000000720000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.496732172.0000000000720000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.496732172.0000000000720000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.499467789.00000000047C0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.499467789.00000000047C0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.499467789.00000000047C0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.499102168.0000000004680000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.499102168.0000000004680000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.499102168.0000000004680000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: cmd.exe PID: 1384 Parent PID: 4940

General

Start time:	17:43:06
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\5SXTKXCnqS.exe'
Imagebase:	0x1f0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5388 Parent PID: 1384

General

Start time:	17:43:06
Start date:	10/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 5SXTKXCnqS

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre