Windows Analysis Report UaTmOE6yP9

Overview

General Information

Sample Name: UaTmOE6yP9 (renamed file extension from none to exe)
Analysis ID: 492896
MD5: 4c70d5b1c63a468f7e0aedf64f93ca42
SHA1: c248ab00560786b7be23151597d9503a2e84602f
SHA256: 83242a0f42be34e66e502e4a3a45d2470f3b24aef8a1d8484711f4439d7fe74a
Tags: 32exeFormbooktrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to delay execution (extensive OutputDebugStringW loop)
Machine Learning detection for sample
Binary or sample is protected by dotNetProtector
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.simpeltattofor.men/mjyv/"], "decoy": ["wenyuexuan.com", "tropicaldepression.info", "healthylifefit.com", "reemletenleafy.com", "jmrrve.com", "mabduh.com", "esomvw.com", "selfcaresereneneness.com", "murdabudz.com", "meinemail.online", "brandqrcodes.com", "live-in-pflege.com", "nickrecovery.com", "ziototoristorante.com", "chatcure.com", "corlora.com", "localagentlab.com", "yogo7.net", "krveop.com", "heianswer.xyz", "idproslot.xyz", "anielleharris.com", "lebonaharchitects.com", "chilestew.com", "ventasdecasasylotes.xyz", "welcome-sber.store", "ahmedintisher.com", "pastlinks.com", "productprinting.online", "babybox.media", "volteraenergy.net", "chinatowndeliver.com", "behiscalm.com", "totalselfconfidence.net", "single-on-purpose.com", "miyonbuilding.com", "medicalmanagementinc.info", "bellaalubo.com", "dubaibiologicdentist.com", "jspagnier-graveur.com", "deskbk.com", "thehauntdepot.com", "5fbuy.com", "calmingscience.com", "luvnecklace.com", "noun-bug.com", "mysenarai.com", "socialmediaplugin.com", "livinglovinglincoln.com", "vaxfreeschool.com", "bjjinmei.com", "p60p.com", "upgradepklohb.xyz", "georges-lego.com", "lkkogltoyof4.xyz", "fryhealty.com", "peacetransformationpath.com", "lightfootsteps.com", "recreativemysteriousgift.com", "luminoza.website", "mccorklehometeam.com", "car-insurance-rates-x2.info", "serpasboutiquedecarnes.com", "1971event.com"]}
Multi AV Scanner detection for submitted file
Source: UaTmOE6yP9.exe Virustotal: Detection: 43% Perma Link
Source: UaTmOE6yP9.exe Metadefender: Detection: 37% Perma Link
Source: UaTmOE6yP9.exe ReversingLabs: Detection: 77%
Yara detected FormBook
Source: Yara match File source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY
Antivirus / Scanner detection for submitted sample
Source: UaTmOE6yP9.exe Avira: detected
Antivirus detection for URL or domain
Source: www.simpeltattofor.men/mjyv/ Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: UaTmOE6yP9.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.UaTmOE6yP9.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: UaTmOE6yP9.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: UaTmOE6yP9.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: UaTmOE6yP9.exe, 00000003.00000002.412307284.0000000001360000.00000040.00000001.sdmp, wscript.exe, 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: UaTmOE6yP9.exe, 00000003.00000002.412307284.0000000001360000.00000040.00000001.sdmp, wscript.exe

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 4x nop then pop edi 3_2_004162E1
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 4x nop then pop edi 3_2_00415683
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4x nop then pop edi 9_2_00DD62E1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4x nop then pop edi 9_2_00DD5683

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49812 -> 108.179.246.105:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49812 -> 108.179.246.105:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49812 -> 108.179.246.105:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49817 -> 23.227.38.74:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49817 -> 23.227.38.74:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49817 -> 23.227.38.74:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 108.179.246.105 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.corlora.com
Source: C:\Windows\explorer.exe Network Connect: 23.227.38.74 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.thehauntdepot.com
Source: C:\Windows\explorer.exe Domain query: www.bellaalubo.com
Source: C:\Windows\explorer.exe Domain query: www.pastlinks.com
Source: C:\Windows\explorer.exe Network Connect: 35.246.6.109 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 54.85.93.188 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.jspagnier-graveur.com
Source: C:\Windows\explorer.exe Domain query: www.behiscalm.com
Source: C:\Windows\explorer.exe Domain query: www.productprinting.online
Source: C:\Windows\explorer.exe Domain query: www.miyonbuilding.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.simpeltattofor.men/mjyv/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=L63r4gynR7T+uFffjQ1lMOoDpS8QK6GZHdtzK1OvDTkBgsUpz0OkUj6/3F+1gpc5iCodVhQ8Dw== HTTP/1.1Host: www.bellaalubo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mjyv/?0pK81=K9FJa1rwSUAAa7/ViuRfbodFPMpyTpIbchforJThhUgcBsFNcj++iNtzjC9b847wWXILaTLWiQ==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.behiscalm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=dI0EVfu3O8PRZHJYFiskZOhLU8OYvItQe6Md7KpFhlubQ63bIpFTgfxbi1sf92w0hSX5JIFUxQ== HTTP/1.1Host: www.productprinting.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=FJb0UZ01VWieyk9Q9MfOW6tWVMxtPQ65AKmCznKsSr2tdhgz0LXvq/VY7gtgl/S7OsM4m26iBg== HTTP/1.1Host: www.corlora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mjyv/?0pK81=Th83CkuYiZ3yTy/NQYNDjmtPTEXY1rwCFz+4Jmb9PkUSuL5FI8psFzofsp4HlXm5aEcRz/p5bA==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.jspagnier-graveur.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mjyv/?0pK81=XUhyKAoPsp+sS+2wc1lVw6UQrcGLXYJeNJI1ueZmTZNqKWlflngblX9CeHA9F+AScG6M63wGOw==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.chinatowndeliver.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 23.227.38.74 23.227.38.74
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp String found in binary or memory: http://c.statcounter.com/9484561/0/b0cbab70/1/
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp String found in binary or memory: http://statcounter.com/
Source: explorer.exe, 00000005.00000000.391155069.000000000095C000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp String found in binary or memory: https://www.namebrightstatic.com/images/bg.png)
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp String found in binary or memory: https://www.namebrightstatic.com/images/error_board.png)
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp String found in binary or memory: https://www.namebrightstatic.com/images/header_bg.png)
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp String found in binary or memory: https://www.namebrightstatic.com/images/logo_off.gif)
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp String found in binary or memory: https://www.namebrightstatic.com/images/site_maintenance.png)
Source: unknown DNS traffic detected: queries for: www.bellaalubo.com
Source: global traffic HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=L63r4gynR7T+uFffjQ1lMOoDpS8QK6GZHdtzK1OvDTkBgsUpz0OkUj6/3F+1gpc5iCodVhQ8Dw== HTTP/1.1Host: www.bellaalubo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mjyv/?0pK81=K9FJa1rwSUAAa7/ViuRfbodFPMpyTpIbchforJThhUgcBsFNcj++iNtzjC9b847wWXILaTLWiQ==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.behiscalm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=dI0EVfu3O8PRZHJYFiskZOhLU8OYvItQe6Md7KpFhlubQ63bIpFTgfxbi1sf92w0hSX5JIFUxQ== HTTP/1.1Host: www.productprinting.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=FJb0UZ01VWieyk9Q9MfOW6tWVMxtPQ65AKmCznKsSr2tdhgz0LXvq/VY7gtgl/S7OsM4m26iBg== HTTP/1.1Host: www.corlora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mjyv/?0pK81=Th83CkuYiZ3yTy/NQYNDjmtPTEXY1rwCFz+4Jmb9PkUSuL5FI8psFzofsp4HlXm5aEcRz/p5bA==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.jspagnier-graveur.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mjyv/?0pK81=XUhyKAoPsp+sS+2wc1lVw6UQrcGLXYJeNJI1ueZmTZNqKWlflngblX9CeHA9F+AScG6M63wGOw==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.chinatowndeliver.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: UaTmOE6yP9.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 0_2_008E275D 0_2_008E275D
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 0_2_01792060 0_2_01792060
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 0_2_01796080 0_2_01796080
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 0_2_017947A0 0_2_017947A0
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 0_2_01796620 0_2_01796620
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 0_2_01792A48 0_2_01792A48
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 0_2_01797080 0_2_01797080
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 0_2_017954E8 0_2_017954E8
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 0_2_017919D0 0_2_017919D0
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 0_2_017941A8 0_2_017941A8
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 0_2_01794E00 0_2_01794E00
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 0_2_0179B1E8 0_2_0179B1E8
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 0_2_01793040 0_2_01793040
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 0_2_0179B808 0_2_0179B808
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 0_2_01793BC0 0_2_01793BC0
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 0_2_00911D21 0_2_00911D21
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 0_2_008E6458 0_2_008E6458
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_00401030 3_2_00401030
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_0041C970 3_2_0041C970
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_0041B9BF 3_2_0041B9BF
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_0041D294 3_2_0041D294
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_0041CBD1 3_2_0041CBD1
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_00408C80 3_2_00408C80
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_0041CC9E 3_2_0041CC9E
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_00402D88 3_2_00402D88
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_00402D90 3_2_00402D90
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_00402FB0 3_2_00402FB0
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_008E275D 3_2_008E275D
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_00911D21 3_2_00911D21
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_008E6458 3_2_008E6458
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05220D20 9_2_05220D20
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05244120 9_2_05244120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0522F900 9_2_0522F900
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F2D07 9_2_052F2D07
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F1D55 9_2_052F1D55
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05252581 9_2_05252581
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0523D5E0 9_2_0523D5E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052E1002 9_2_052E1002
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0523841F 9_2_0523841F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052520A0 9_2_052520A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F20A8 9_2_052F20A8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0523B090 9_2_0523B090
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F2B28 9_2_052F2B28
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0525EBB0 9_2_0525EBB0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F1FF1 9_2_052F1FF1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05246E30 9_2_05246E30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F22AE 9_2_052F22AE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F2EF7 9_2_052F2EF7
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DDB9BF 9_2_00DDB9BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DDC970 9_2_00DDC970
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DDD294 9_2_00DDD294
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DDCBD1 9_2_00DDCBD1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DDCC9E 9_2_00DDCC9E
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DC8C80 9_2_00DC8C80
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DC2D90 9_2_00DC2D90
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DC2D88 9_2_00DC2D88
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DC2FB0 9_2_00DC2FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\wscript.exe Code function: String function: 0522B150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_004185E0 NtCreateFile, 3_2_004185E0
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_00418690 NtReadFile, 3_2_00418690
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_00418710 NtClose, 3_2_00418710
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_004187C0 NtAllocateVirtualMemory, 3_2_004187C0
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_004185DA NtCreateFile, 3_2_004185DA
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_0041868A NtReadFile, 3_2_0041868A
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_0041868C NtReadFile, 3_2_0041868C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05269910 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_05269910
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05269540 NtReadFile,LdrInitializeThunk, 9_2_05269540
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052699A0 NtCreateSection,LdrInitializeThunk, 9_2_052699A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052695D0 NtClose,LdrInitializeThunk, 9_2_052695D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05269860 NtQuerySystemInformation,LdrInitializeThunk, 9_2_05269860
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05269840 NtDelayExecution,LdrInitializeThunk, 9_2_05269840
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05269710 NtQueryInformationToken,LdrInitializeThunk, 9_2_05269710
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05269780 NtMapViewOfSection,LdrInitializeThunk, 9_2_05269780
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05269FE0 NtCreateMutant,LdrInitializeThunk, 9_2_05269FE0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05269660 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_05269660
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05269650 NtQueryValueKey,LdrInitializeThunk, 9_2_05269650
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05269A50 NtCreateFile,LdrInitializeThunk, 9_2_05269A50
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052696E0 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_052696E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052696D0 NtCreateKey,LdrInitializeThunk, 9_2_052696D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05269520 NtWaitForSingleObject, 9_2_05269520
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0526AD30 NtSetContextThread, 9_2_0526AD30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05269560 NtWriteFile, 9_2_05269560
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05269950 NtQueueApcThread, 9_2_05269950
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052695F0 NtQueryInformationFile, 9_2_052695F0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052699D0 NtCreateProcessEx, 9_2_052699D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05269820 NtEnumerateKey, 9_2_05269820
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0526B040 NtSuspendThread, 9_2_0526B040
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052698A0 NtWriteVirtualMemory, 9_2_052698A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052698F0 NtReadVirtualMemory, 9_2_052698F0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05269730 NtQueryVirtualMemory, 9_2_05269730
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05269B00 NtSetValueKey, 9_2_05269B00
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0526A710 NtOpenProcessToken, 9_2_0526A710
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05269760 NtOpenProcess, 9_2_05269760
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05269770 NtSetInformationFile, 9_2_05269770
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0526A770 NtOpenThread, 9_2_0526A770
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052697A0 NtUnmapViewOfSection, 9_2_052697A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0526A3B0 NtGetContextThread, 9_2_0526A3B0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05269A20 NtResumeThread, 9_2_05269A20
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05269A00 NtProtectVirtualMemory, 9_2_05269A00
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05269610 NtEnumerateValueKey, 9_2_05269610
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05269A10 NtQuerySection, 9_2_05269A10
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05269670 NtQueryInformationProcess, 9_2_05269670
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05269A80 NtOpenDirectoryObject, 9_2_05269A80
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DD85E0 NtCreateFile, 9_2_00DD85E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DD8690 NtReadFile, 9_2_00DD8690
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DD87C0 NtAllocateVirtualMemory, 9_2_00DD87C0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DD8710 NtClose, 9_2_00DD8710
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DD85DA NtCreateFile, 9_2_00DD85DA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DD868C NtReadFile, 9_2_00DD868C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DD868A NtReadFile, 9_2_00DD868A
Sample file is different than original file name gathered from version info
Source: UaTmOE6yP9.exe, 00000003.00000002.412436722.000000000147F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs UaTmOE6yP9.exe
Source: UaTmOE6yP9.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UaTmOE6yP9.exe Virustotal: Detection: 43%
Source: UaTmOE6yP9.exe Metadefender: Detection: 37%
Source: UaTmOE6yP9.exe ReversingLabs: Detection: 77%
Source: UaTmOE6yP9.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\UaTmOE6yP9.exe 'C:\Users\user\Desktop\UaTmOE6yP9.exe'
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process created: C:\Users\user\Desktop\UaTmOE6yP9.exe C:\Users\user\Desktop\UaTmOE6yP9.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UaTmOE6yP9.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process created: C:\Users\user\Desktop\UaTmOE6yP9.exe C:\Users\user\Desktop\UaTmOE6yP9.exe Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UaTmOE6yP9.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/0@9/5
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: UaTmOE6yP9.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: UaTmOE6yP9.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: UaTmOE6yP9.exe, 00000003.00000002.412307284.0000000001360000.00000040.00000001.sdmp, wscript.exe, 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: UaTmOE6yP9.exe, 00000003.00000002.412307284.0000000001360000.00000040.00000001.sdmp, wscript.exe

Data Obfuscation:

barindex
Binary or sample is protected by dotNetProtector
Source: UaTmOE6yP9.exe String found in binary or memory: dotNetProtector
Source: UaTmOE6yP9.exe, 00000000.00000000.341534610.00000000008E2000.00000020.00020000.sdmp String found in binary or memory: qOrset_ShowInTaskbarFUseTwoDigitYearAltDirectorySeparatorChartmFirstCharM_firstCharTryParseHexCharStringToNumberStreamHeaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderBinderTypeDefFinder_encoderlpBufferResourceManagerSet_LoggerDebuggerMakeQuantifierListenerOwnOwnerCreateProcessAsUserFetchReturnParameterm_returnParameterMDTableWriterget_IsPointerBitConverterOtherLetterGetTokenForInternalErrorResourceManagerMediatoramDesignatorsDecimalSeparatorIEnumeratorGetEnumerator.ctor_subtractor.cctordotNetProtectorget_IsConstructorFrameSecurityDescriptorCreateDecryptorIntPtrGet_ErasEnumTypeSpecsEnumMethodSemanticsGetCharacteristicsSystem.DiagnosticsAddMilliseconds_dynamicMethodsGetMethodsAllowBracesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesIsRTLResourcesplfrrokpkd.resourcesRejectChangesGet_MethodBodiesMDBeginWriteMethodBodiesEnumerateFileSystemEntriesVTablesEnableVisualStylesAbbreviatedEnglishEraNamesLoadCulturesFromNamesGetEnumNamesSet_DayNamesHasSpacesInDayNamesGetNumberOfFramesShortTimesGet_s_systemTimeZonesCorLibTypesGetExceptionTypesMethodAttributesFileAttributesTypeAttributesMethodImplAttributesGetCustomAttributesGetBytesProjectWinMDRefsM_stateFlagsBindingFlagsHijriMonthsLengthFlagsGetMethodImplementationFlagsSetImplementationFlagsModuleSearchPathsDateToTicksLiteralsEqualsAllStreamsSystem.Windows.FormsLevelConversionsGet_PointerToRelocationsm_methodInstantiationsSystem.CollectionsFunctionsCallingConventionsSet_OptionsTimeZoneInfoOptionsSigComparerOptionsGetAssertionsMethodImplInfosCalendarsget_CharsNumberOfLinenumbersGet_StreamHeadersGetOptionalCustomModifiersGetParametersAssertFiltersget_IsClassNoAccessAssemblyBuilderAccesshProcessGetCurrentProcesslpBaseAddressConvertRTInternalAddresslpAddressGet_WatsonBucketsCreateWindowsConcatM_bFormatIncludeSectCreateCaObjectGet_IsRequireSecObjectTaggedObjectStreamedObjectTypeObjectGetObjectobjectSelectFrameworkRedirectflProtectM_objSetM_normalPermSetCharSetNotECMADigitSetM_tryEndOffsetBaseFileOffsetFirstLevelOffsetSetStartOffsetMaxOptionShiftUnmanaged32Bit_64Bitop_ExplicitSystem.Reflection.Emit_ExitSetCompatibleTextRenderingDefaultFirstOrDefaultIAsyncResultresultOp_IncrementEnvironmentIsAllSecurityTransparentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentCheckRemoteDebuggerPresentIsDebuggerPresentGet_CurrExcStackCountM_labelCount_invocationCountReuseSlotGet_IsNewSlotParameterizedThreadStartConvertFailFastContiguousRidListDataHeaderListCopyToArrayListTttWaitTimeoutSuspendLayoutResumeLayoutMoveNextSystem.TextSet_SynchronizationContextcontext*
Source: UaTmOE6yP9.exe String found in binary or memory: dotNetProtector
Source: UaTmOE6yP9.exe, 00000003.00000000.345884716.00000000008E2000.00000020.00020000.sdmp String found in binary or memory: qOrset_ShowInTaskbarFUseTwoDigitYearAltDirectorySeparatorChartmFirstCharM_firstCharTryParseHexCharStringToNumberStreamHeaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderBinderTypeDefFinder_encoderlpBufferResourceManagerSet_LoggerDebuggerMakeQuantifierListenerOwnOwnerCreateProcessAsUserFetchReturnParameterm_returnParameterMDTableWriterget_IsPointerBitConverterOtherLetterGetTokenForInternalErrorResourceManagerMediatoramDesignatorsDecimalSeparatorIEnumeratorGetEnumerator.ctor_subtractor.cctordotNetProtectorget_IsConstructorFrameSecurityDescriptorCreateDecryptorIntPtrGet_ErasEnumTypeSpecsEnumMethodSemanticsGetCharacteristicsSystem.DiagnosticsAddMilliseconds_dynamicMethodsGetMethodsAllowBracesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesIsRTLResourcesplfrrokpkd.resourcesRejectChangesGet_MethodBodiesMDBeginWriteMethodBodiesEnumerateFileSystemEntriesVTablesEnableVisualStylesAbbreviatedEnglishEraNamesLoadCulturesFromNamesGetEnumNamesSet_DayNamesHasSpacesInDayNamesGetNumberOfFramesShortTimesGet_s_systemTimeZonesCorLibTypesGetExceptionTypesMethodAttributesFileAttributesTypeAttributesMethodImplAttributesGetCustomAttributesGetBytesProjectWinMDRefsM_stateFlagsBindingFlagsHijriMonthsLengthFlagsGetMethodImplementationFlagsSetImplementationFlagsModuleSearchPathsDateToTicksLiteralsEqualsAllStreamsSystem.Windows.FormsLevelConversionsGet_PointerToRelocationsm_methodInstantiationsSystem.CollectionsFunctionsCallingConventionsSet_OptionsTimeZoneInfoOptionsSigComparerOptionsGetAssertionsMethodImplInfosCalendarsget_CharsNumberOfLinenumbersGet_StreamHeadersGetOptionalCustomModifiersGetParametersAssertFiltersget_IsClassNoAccessAssemblyBuilderAccesshProcessGetCurrentProcesslpBaseAddressConvertRTInternalAddresslpAddressGet_WatsonBucketsCreateWindowsConcatM_bFormatIncludeSectCreateCaObjectGet_IsRequireSecObjectTaggedObjectStreamedObjectTypeObjectGetObjectobjectSelectFrameworkRedirectflProtectM_objSetM_normalPermSetCharSetNotECMADigitSetM_tryEndOffsetBaseFileOffsetFirstLevelOffsetSetStartOffsetMaxOptionShiftUnmanaged32Bit_64Bitop_ExplicitSystem.Reflection.Emit_ExitSetCompatibleTextRenderingDefaultFirstOrDefaultIAsyncResultresultOp_IncrementEnvironmentIsAllSecurityTransparentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentCheckRemoteDebuggerPresentIsDebuggerPresentGet_CurrExcStackCountM_labelCount_invocationCountReuseSlotGet_IsNewSlotParameterizedThreadStartConvertFailFastContiguousRidListDataHeaderListCopyToArrayListTttWaitTimeoutSuspendLayoutResumeLayoutMoveNextSystem.TextSet_SynchronizationContextcontext*
Source: wscript.exe, 00000009.00000002.611779827.0000000005737000.00000004.00020000.sdmp String found in binary or memory: dotNetProtector
Source: wscript.exe, 00000009.00000002.611779827.0000000005737000.00000004.00020000.sdmp String found in binary or memory: qOrset_ShowInTaskbarFUseTwoDigitYearAltDirectorySeparatorChartmFirstCharM_firstCharTryParseHexCharStringToNumberStreamHeaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderBinderTypeDefFinder_encoderlpBufferResourceManagerSet_LoggerDebuggerMakeQuantifierListenerOwnOwnerCreateProcessAsUserFetchReturnParameterm_returnParameterMDTableWriterget_IsPointerBitConverterOtherLetterGetTokenForInternalErrorResourceManagerMediatoramDesignatorsDecimalSeparatorIEnumeratorGetEnumerator.ctor_subtractor.cctordotNetProtectorget_IsConstructorFrameSecurityDescriptorCreateDecryptorIntPtrGet_ErasEnumTypeSpecsEnumMethodSemanticsGetCharacteristicsSystem.DiagnosticsAddMilliseconds_dynamicMethodsGetMethodsAllowBracesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesIsRTLResourcesplfrrokpkd.resourcesRejectChangesGet_MethodBodiesMDBeginWriteMethodBodiesEnumerateFileSystemEntriesVTablesEnableVisualStylesAbbreviatedEnglishEraNamesLoadCulturesFromNamesGetEnumNamesSet_DayNamesHasSpacesInDayNamesGetNumberOfFramesShortTimesGet_s_systemTimeZonesCorLibTypesGetExceptionTypesMethodAttributesFileAttributesTypeAttributesMethodImplAttributesGetCustomAttributesGetBytesProjectWinMDRefsM_stateFlagsBindingFlagsHijriMonthsLengthFlagsGetMethodImplementationFlagsSetImplementationFlagsModuleSearchPathsDateToTicksLiteralsEqualsAllStreamsSystem.Windows.FormsLevelConversionsGet_PointerToRelocationsm_methodInstantiationsSystem.CollectionsFunctionsCallingConventionsSet_OptionsTimeZoneInfoOptionsSigComparerOptionsGetAssertionsMethodImplInfosCalendarsget_CharsNumberOfLinenumbersGet_StreamHeadersGetOptionalCustomModifiersGetParametersAssertFiltersget_IsClassNoAccessAssemblyBuilderAccesshProcessGetCurrentProcesslpBaseAddressConvertRTInternalAddresslpAddressGet_WatsonBucketsCreateWindowsConcatM_bFormatIncludeSectCreateCaObjectGet_IsRequireSecObjectTaggedObjectStreamedObjectTypeObjectGetObjectobjectSelectFrameworkRedirectflProtectM_objSetM_normalPermSetCharSetNotECMADigitSetM_tryEndOffsetBaseFileOffsetFirstLevelOffsetSetStartOffsetMaxOptionShiftUnmanaged32Bit_64Bitop_ExplicitSystem.Reflection.Emit_ExitSetCompatibleTextRenderingDefaultFirstOrDefaultIAsyncResultresultOp_IncrementEnvironmentIsAllSecurityTransparentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentCheckRemoteDebuggerPresentIsDebuggerPresentGet_CurrExcStackCountM_labelCount_invocationCountReuseSlotGet_IsNewSlotParameterizedThreadStartConvertFailFastContiguousRidListDataHeaderListCopyToArrayListTttWaitTimeoutSuspendLayoutResumeLayoutMoveNextSystem.TextSet_SynchronizationContextcontext*
Source: UaTmOE6yP9.exe String found in binary or memory: dotNetProtector
Source: UaTmOE6yP9.exe String found in binary or memory: qOrset_ShowInTaskbarFUseTwoDigitYearAltDirectorySeparatorChartmFirstCharM_firstCharTryParseHexCharStringToNumberStreamHeaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderBinderTypeDefFinder_encoderlpBufferResourceManagerSet_LoggerDebuggerMakeQuantifierListenerOwnOwnerCreateProcessAsUserFetchReturnParameterm_returnParameterMDTableWriterget_IsPointerBitConverterOtherLetterGetTokenForInternalErrorResourceManagerMediatoramDesignatorsDecimalSeparatorIEnumeratorGetEnumerator.ctor_subtractor.cctordotNetProtectorget_IsConstructorFrameSecurityDescriptorCreateDecryptorIntPtrGet_ErasEnumTypeSpecsEnumMethodSemanticsGetCharacteristicsSystem.DiagnosticsAddMilliseconds_dynamicMethodsGetMethodsAllowBracesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesIsRTLResourcesplfrrokpkd.resourcesRejectChangesGet_MethodBodiesMDBeginWriteMethodBodiesEnumerateFileSystemEntriesVTablesEnableVisualStylesAbbreviatedEnglishEraNamesLoadCulturesFromNamesGetEnumNamesSet_DayNamesHasSpacesInDayNamesGetNumberOfFramesShortTimesGet_s_systemTimeZonesCorLibTypesGetExceptionTypesMethodAttributesFileAttributesTypeAttributesMethodImplAttributesGetCustomAttributesGetBytesProjectWinMDRefsM_stateFlagsBindingFlagsHijriMonthsLengthFlagsGetMethodImplementationFlagsSetImplementationFlagsModuleSearchPathsDateToTicksLiteralsEqualsAllStreamsSystem.Windows.FormsLevelConversionsGet_PointerToRelocationsm_methodInstantiationsSystem.CollectionsFunctionsCallingConventionsSet_OptionsTimeZoneInfoOptionsSigComparerOptionsGetAssertionsMethodImplInfosCalendarsget_CharsNumberOfLinenumbersGet_StreamHeadersGetOptionalCustomModifiersGetParametersAssertFiltersget_IsClassNoAccessAssemblyBuilderAccesshProcessGetCurrentProcesslpBaseAddressConvertRTInternalAddresslpAddressGet_WatsonBucketsCreateWindowsConcatM_bFormatIncludeSectCreateCaObjectGet_IsRequireSecObjectTaggedObjectStreamedObjectTypeObjectGetObjectobjectSelectFrameworkRedirectflProtectM_objSetM_normalPermSetCharSetNotECMADigitSetM_tryEndOffsetBaseFileOffsetFirstLevelOffsetSetStartOffsetMaxOptionShiftUnmanaged32Bit_64Bitop_ExplicitSystem.Reflection.Emit_ExitSetCompatibleTextRenderingDefaultFirstOrDefaultIAsyncResultresultOp_IncrementEnvironmentIsAllSecurityTransparentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentCheckRemoteDebuggerPresentIsDebuggerPresentGet_CurrExcStackCountM_labelCount_invocationCountReuseSlotGet_IsNewSlotParameterizedThreadStartConvertFailFastContiguousRidListDataHeaderListCopyToArrayListTttWaitTimeoutSuspendLayoutResumeLayoutMoveNextSystem.TextSet_SynchronizationContextcontext*
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 0_2_00915064 push ebp; ret 0_2_00915066
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 0_2_01792877 push ebx; ret 0_2_0179287A
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_0041B822 push eax; ret 3_2_0041B828
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_0041B82B push eax; ret 3_2_0041B892
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_0041502F push esp; iretd 3_2_00415032
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_0041B88C push eax; ret 3_2_0041B892
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_00416092 push ebx; retf 3_2_00416097
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_00416099 push ss; iretd 3_2_004160B7
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_004160BB push ss; iretd 3_2_004160B7
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_00416105 push ss; iretd 3_2_004160B7
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_00415CE7 push ss; iretd 3_2_00415CE9
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_00418556 push eax; ret 3_2_00418559
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_00414EEC push 395C2345h; retf 3_2_00414EF3
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_00414F42 push ebp; ret 3_2_00414F4A
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_0041B7D5 push eax; ret 3_2_0041B828
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_00915064 push ebp; ret 3_2_00915066
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0527D0D1 push ecx; ret 9_2_0527D0E4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DD6099 push ss; iretd 9_2_00DD60B7
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DD6092 push ebx; retf 9_2_00DD6097
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DDB88C push eax; ret 9_2_00DDB892
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DD60BB push ss; iretd 9_2_00DD60B7
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DD502F push esp; iretd 9_2_00DD5032
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DDB82B push eax; ret 9_2_00DDB892
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DDB822 push eax; ret 9_2_00DDB828
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DD6105 push ss; iretd 9_2_00DD60B7
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DD5CE7 push ss; iretd 9_2_00DD5CE9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DD8556 push eax; ret 9_2_00DD8559
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DD4EEC push 395C2345h; retf 9_2_00DD4EF3
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DDB7D5 push eax; ret 9_2_00DDB828
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00DD4F42 push ebp; ret 9_2_00DD4F4A
PE file contains an invalid checksum
Source: UaTmOE6yP9.exe Static PE information: real checksum: 0x5063c should be: 0x10803c
Source: initial sample Static PE information: section name: .text entropy: 7.77367738512

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\wscript.exe Process created: /c del 'C:\Users\user\Desktop\UaTmOE6yP9.exe'
Source: C:\Windows\SysWOW64\wscript.exe Process created: /c del 'C:\Users\user\Desktop\UaTmOE6yP9.exe' Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to delay execution (extensive OutputDebugStringW loop)
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Section loaded: OutputDebugStringW count: 229
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe RDTSC instruction interceptor: First address: 0000000000DC8604 second address: 0000000000DC860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe RDTSC instruction interceptor: First address: 0000000000DC899E second address: 0000000000DC89A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe TID: 6588 Thread sleep time: -214000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 4768 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 6632 Thread sleep time: -34000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\wscript.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_004088D0 rdtsc 3_2_004088D0
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process information queried: ProcessInformation Jump to behavior
Source: explorer.exe, 00000005.00000000.385097826.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.384921628.00000000083E9000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000005.00000000.370237561.000000000461E000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.356293831.00000000062E0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.384921628.00000000083E9000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.356293831.00000000062E0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.385697655.000000000866E000.00000004.00000001.sdmp Binary or memory string: 0ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&-
Source: explorer.exe, 00000005.00000000.361282017.00000000082E2000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000005.00000000.401542053.0000000008552000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S
Source: explorer.exe, 00000005.00000000.361282017.00000000082E2000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.385097826.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000005.00000000.391155069.000000000095C000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 0_2_0179CA94 CheckRemoteDebuggerPresent, 0_2_0179CA94
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_004088D0 rdtsc 3_2_004088D0
Enables debug privileges
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05244120 mov eax, dword ptr fs:[00000030h] 9_2_05244120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05244120 mov eax, dword ptr fs:[00000030h] 9_2_05244120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05244120 mov eax, dword ptr fs:[00000030h] 9_2_05244120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05244120 mov eax, dword ptr fs:[00000030h] 9_2_05244120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05244120 mov ecx, dword ptr fs:[00000030h] 9_2_05244120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0522AD30 mov eax, dword ptr fs:[00000030h] 9_2_0522AD30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h] 9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h] 9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h] 9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h] 9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h] 9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h] 9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h] 9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h] 9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h] 9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h] 9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h] 9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h] 9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h] 9_2_05233D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F8D34 mov eax, dword ptr fs:[00000030h] 9_2_052F8D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052AA537 mov eax, dword ptr fs:[00000030h] 9_2_052AA537
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05254D3B mov eax, dword ptr fs:[00000030h] 9_2_05254D3B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05254D3B mov eax, dword ptr fs:[00000030h] 9_2_05254D3B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05254D3B mov eax, dword ptr fs:[00000030h] 9_2_05254D3B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0525513A mov eax, dword ptr fs:[00000030h] 9_2_0525513A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0525513A mov eax, dword ptr fs:[00000030h] 9_2_0525513A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05229100 mov eax, dword ptr fs:[00000030h] 9_2_05229100
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05229100 mov eax, dword ptr fs:[00000030h] 9_2_05229100
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05229100 mov eax, dword ptr fs:[00000030h] 9_2_05229100
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0522C962 mov eax, dword ptr fs:[00000030h] 9_2_0522C962
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0522B171 mov eax, dword ptr fs:[00000030h] 9_2_0522B171
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0522B171 mov eax, dword ptr fs:[00000030h] 9_2_0522B171
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0524C577 mov eax, dword ptr fs:[00000030h] 9_2_0524C577
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0524C577 mov eax, dword ptr fs:[00000030h] 9_2_0524C577
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0524B944 mov eax, dword ptr fs:[00000030h] 9_2_0524B944
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0524B944 mov eax, dword ptr fs:[00000030h] 9_2_0524B944
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05263D43 mov eax, dword ptr fs:[00000030h] 9_2_05263D43
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A3540 mov eax, dword ptr fs:[00000030h] 9_2_052A3540
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05247D50 mov eax, dword ptr fs:[00000030h] 9_2_05247D50
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F05AC mov eax, dword ptr fs:[00000030h] 9_2_052F05AC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F05AC mov eax, dword ptr fs:[00000030h] 9_2_052F05AC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052535A1 mov eax, dword ptr fs:[00000030h] 9_2_052535A1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052561A0 mov eax, dword ptr fs:[00000030h] 9_2_052561A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052561A0 mov eax, dword ptr fs:[00000030h] 9_2_052561A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A69A6 mov eax, dword ptr fs:[00000030h] 9_2_052A69A6
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05251DB5 mov eax, dword ptr fs:[00000030h] 9_2_05251DB5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05251DB5 mov eax, dword ptr fs:[00000030h] 9_2_05251DB5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05251DB5 mov eax, dword ptr fs:[00000030h] 9_2_05251DB5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A51BE mov eax, dword ptr fs:[00000030h] 9_2_052A51BE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A51BE mov eax, dword ptr fs:[00000030h] 9_2_052A51BE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A51BE mov eax, dword ptr fs:[00000030h] 9_2_052A51BE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A51BE mov eax, dword ptr fs:[00000030h] 9_2_052A51BE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0525A185 mov eax, dword ptr fs:[00000030h] 9_2_0525A185
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05252581 mov eax, dword ptr fs:[00000030h] 9_2_05252581
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05252581 mov eax, dword ptr fs:[00000030h] 9_2_05252581
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05252581 mov eax, dword ptr fs:[00000030h] 9_2_05252581
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05252581 mov eax, dword ptr fs:[00000030h] 9_2_05252581
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0524C182 mov eax, dword ptr fs:[00000030h] 9_2_0524C182
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05222D8A mov eax, dword ptr fs:[00000030h] 9_2_05222D8A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05222D8A mov eax, dword ptr fs:[00000030h] 9_2_05222D8A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05222D8A mov eax, dword ptr fs:[00000030h] 9_2_05222D8A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05222D8A mov eax, dword ptr fs:[00000030h] 9_2_05222D8A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05222D8A mov eax, dword ptr fs:[00000030h] 9_2_05222D8A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05252990 mov eax, dword ptr fs:[00000030h] 9_2_05252990
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0525FD9B mov eax, dword ptr fs:[00000030h] 9_2_0525FD9B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0525FD9B mov eax, dword ptr fs:[00000030h] 9_2_0525FD9B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0522B1E1 mov eax, dword ptr fs:[00000030h] 9_2_0522B1E1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0522B1E1 mov eax, dword ptr fs:[00000030h] 9_2_0522B1E1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0522B1E1 mov eax, dword ptr fs:[00000030h] 9_2_0522B1E1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052B41E8 mov eax, dword ptr fs:[00000030h] 9_2_052B41E8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0523D5E0 mov eax, dword ptr fs:[00000030h] 9_2_0523D5E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0523D5E0 mov eax, dword ptr fs:[00000030h] 9_2_0523D5E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052D8DF1 mov eax, dword ptr fs:[00000030h] 9_2_052D8DF1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A6DC9 mov eax, dword ptr fs:[00000030h] 9_2_052A6DC9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A6DC9 mov eax, dword ptr fs:[00000030h] 9_2_052A6DC9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A6DC9 mov eax, dword ptr fs:[00000030h] 9_2_052A6DC9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A6DC9 mov ecx, dword ptr fs:[00000030h] 9_2_052A6DC9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A6DC9 mov eax, dword ptr fs:[00000030h] 9_2_052A6DC9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A6DC9 mov eax, dword ptr fs:[00000030h] 9_2_052A6DC9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0525002D mov eax, dword ptr fs:[00000030h] 9_2_0525002D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0525002D mov eax, dword ptr fs:[00000030h] 9_2_0525002D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0525002D mov eax, dword ptr fs:[00000030h] 9_2_0525002D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0525002D mov eax, dword ptr fs:[00000030h] 9_2_0525002D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0525002D mov eax, dword ptr fs:[00000030h] 9_2_0525002D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0523B02A mov eax, dword ptr fs:[00000030h] 9_2_0523B02A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0523B02A mov eax, dword ptr fs:[00000030h] 9_2_0523B02A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0523B02A mov eax, dword ptr fs:[00000030h] 9_2_0523B02A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0523B02A mov eax, dword ptr fs:[00000030h] 9_2_0523B02A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0525BC2C mov eax, dword ptr fs:[00000030h] 9_2_0525BC2C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A6C0A mov eax, dword ptr fs:[00000030h] 9_2_052A6C0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A6C0A mov eax, dword ptr fs:[00000030h] 9_2_052A6C0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A6C0A mov eax, dword ptr fs:[00000030h] 9_2_052A6C0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A6C0A mov eax, dword ptr fs:[00000030h] 9_2_052A6C0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F740D mov eax, dword ptr fs:[00000030h] 9_2_052F740D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F740D mov eax, dword ptr fs:[00000030h] 9_2_052F740D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F740D mov eax, dword ptr fs:[00000030h] 9_2_052F740D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h] 9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h] 9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h] 9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h] 9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h] 9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h] 9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h] 9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h] 9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h] 9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h] 9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h] 9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h] 9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h] 9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h] 9_2_052E1C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F4015 mov eax, dword ptr fs:[00000030h] 9_2_052F4015
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F4015 mov eax, dword ptr fs:[00000030h] 9_2_052F4015
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A7016 mov eax, dword ptr fs:[00000030h] 9_2_052A7016
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A7016 mov eax, dword ptr fs:[00000030h] 9_2_052A7016
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A7016 mov eax, dword ptr fs:[00000030h] 9_2_052A7016
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0524746D mov eax, dword ptr fs:[00000030h] 9_2_0524746D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F1074 mov eax, dword ptr fs:[00000030h] 9_2_052F1074
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052E2073 mov eax, dword ptr fs:[00000030h] 9_2_052E2073
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0525A44B mov eax, dword ptr fs:[00000030h] 9_2_0525A44B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05240050 mov eax, dword ptr fs:[00000030h] 9_2_05240050
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05240050 mov eax, dword ptr fs:[00000030h] 9_2_05240050
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052BC450 mov eax, dword ptr fs:[00000030h] 9_2_052BC450
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052BC450 mov eax, dword ptr fs:[00000030h] 9_2_052BC450
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052520A0 mov eax, dword ptr fs:[00000030h] 9_2_052520A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052520A0 mov eax, dword ptr fs:[00000030h] 9_2_052520A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052520A0 mov eax, dword ptr fs:[00000030h] 9_2_052520A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052520A0 mov eax, dword ptr fs:[00000030h] 9_2_052520A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052520A0 mov eax, dword ptr fs:[00000030h] 9_2_052520A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052520A0 mov eax, dword ptr fs:[00000030h] 9_2_052520A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052690AF mov eax, dword ptr fs:[00000030h] 9_2_052690AF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0525F0BF mov ecx, dword ptr fs:[00000030h] 9_2_0525F0BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0525F0BF mov eax, dword ptr fs:[00000030h] 9_2_0525F0BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0525F0BF mov eax, dword ptr fs:[00000030h] 9_2_0525F0BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05229080 mov eax, dword ptr fs:[00000030h] 9_2_05229080
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A3884 mov eax, dword ptr fs:[00000030h] 9_2_052A3884
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A3884 mov eax, dword ptr fs:[00000030h] 9_2_052A3884
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0523849B mov eax, dword ptr fs:[00000030h] 9_2_0523849B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052258EC mov eax, dword ptr fs:[00000030h] 9_2_052258EC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052E14FB mov eax, dword ptr fs:[00000030h] 9_2_052E14FB
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A6CF0 mov eax, dword ptr fs:[00000030h] 9_2_052A6CF0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A6CF0 mov eax, dword ptr fs:[00000030h] 9_2_052A6CF0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A6CF0 mov eax, dword ptr fs:[00000030h] 9_2_052A6CF0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F8CD6 mov eax, dword ptr fs:[00000030h] 9_2_052F8CD6
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052BB8D0 mov eax, dword ptr fs:[00000030h] 9_2_052BB8D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052BB8D0 mov ecx, dword ptr fs:[00000030h] 9_2_052BB8D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052BB8D0 mov eax, dword ptr fs:[00000030h] 9_2_052BB8D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052BB8D0 mov eax, dword ptr fs:[00000030h] 9_2_052BB8D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052BB8D0 mov eax, dword ptr fs:[00000030h] 9_2_052BB8D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052BB8D0 mov eax, dword ptr fs:[00000030h] 9_2_052BB8D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05224F2E mov eax, dword ptr fs:[00000030h] 9_2_05224F2E
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05224F2E mov eax, dword ptr fs:[00000030h] 9_2_05224F2E
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0525E730 mov eax, dword ptr fs:[00000030h] 9_2_0525E730
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F070D mov eax, dword ptr fs:[00000030h] 9_2_052F070D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F070D mov eax, dword ptr fs:[00000030h] 9_2_052F070D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0525A70E mov eax, dword ptr fs:[00000030h] 9_2_0525A70E
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0525A70E mov eax, dword ptr fs:[00000030h] 9_2_0525A70E
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0524F716 mov eax, dword ptr fs:[00000030h] 9_2_0524F716
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052E131B mov eax, dword ptr fs:[00000030h] 9_2_052E131B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052BFF10 mov eax, dword ptr fs:[00000030h] 9_2_052BFF10
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052BFF10 mov eax, dword ptr fs:[00000030h] 9_2_052BFF10
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0522DB60 mov ecx, dword ptr fs:[00000030h] 9_2_0522DB60
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0523FF60 mov eax, dword ptr fs:[00000030h] 9_2_0523FF60
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F8F6A mov eax, dword ptr fs:[00000030h] 9_2_052F8F6A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05253B7A mov eax, dword ptr fs:[00000030h] 9_2_05253B7A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05253B7A mov eax, dword ptr fs:[00000030h] 9_2_05253B7A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0522DB40 mov eax, dword ptr fs:[00000030h] 9_2_0522DB40
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0523EF40 mov eax, dword ptr fs:[00000030h] 9_2_0523EF40
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F8B58 mov eax, dword ptr fs:[00000030h] 9_2_052F8B58
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0522F358 mov eax, dword ptr fs:[00000030h] 9_2_0522F358
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05254BAD mov eax, dword ptr fs:[00000030h] 9_2_05254BAD
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05254BAD mov eax, dword ptr fs:[00000030h] 9_2_05254BAD
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05254BAD mov eax, dword ptr fs:[00000030h] 9_2_05254BAD
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F5BA5 mov eax, dword ptr fs:[00000030h] 9_2_052F5BA5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052E138A mov eax, dword ptr fs:[00000030h] 9_2_052E138A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05231B8F mov eax, dword ptr fs:[00000030h] 9_2_05231B8F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05231B8F mov eax, dword ptr fs:[00000030h] 9_2_05231B8F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052DD380 mov ecx, dword ptr fs:[00000030h] 9_2_052DD380
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05252397 mov eax, dword ptr fs:[00000030h] 9_2_05252397
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0525B390 mov eax, dword ptr fs:[00000030h] 9_2_0525B390
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05238794 mov eax, dword ptr fs:[00000030h] 9_2_05238794
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A7794 mov eax, dword ptr fs:[00000030h] 9_2_052A7794
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A7794 mov eax, dword ptr fs:[00000030h] 9_2_052A7794
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A7794 mov eax, dword ptr fs:[00000030h] 9_2_052A7794
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052503E2 mov eax, dword ptr fs:[00000030h] 9_2_052503E2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052503E2 mov eax, dword ptr fs:[00000030h] 9_2_052503E2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052503E2 mov eax, dword ptr fs:[00000030h] 9_2_052503E2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052503E2 mov eax, dword ptr fs:[00000030h] 9_2_052503E2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052503E2 mov eax, dword ptr fs:[00000030h] 9_2_052503E2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052503E2 mov eax, dword ptr fs:[00000030h] 9_2_052503E2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0524DBE9 mov eax, dword ptr fs:[00000030h] 9_2_0524DBE9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052637F5 mov eax, dword ptr fs:[00000030h] 9_2_052637F5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A53CA mov eax, dword ptr fs:[00000030h] 9_2_052A53CA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A53CA mov eax, dword ptr fs:[00000030h] 9_2_052A53CA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0522E620 mov eax, dword ptr fs:[00000030h] 9_2_0522E620
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05264A2C mov eax, dword ptr fs:[00000030h] 9_2_05264A2C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05264A2C mov eax, dword ptr fs:[00000030h] 9_2_05264A2C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052DFE3F mov eax, dword ptr fs:[00000030h] 9_2_052DFE3F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0522C600 mov eax, dword ptr fs:[00000030h] 9_2_0522C600
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0522C600 mov eax, dword ptr fs:[00000030h] 9_2_0522C600
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0522C600 mov eax, dword ptr fs:[00000030h] 9_2_0522C600
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05258E00 mov eax, dword ptr fs:[00000030h] 9_2_05258E00
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052E1608 mov eax, dword ptr fs:[00000030h] 9_2_052E1608
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05238A0A mov eax, dword ptr fs:[00000030h] 9_2_05238A0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05225210 mov eax, dword ptr fs:[00000030h] 9_2_05225210
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05225210 mov ecx, dword ptr fs:[00000030h] 9_2_05225210
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05225210 mov eax, dword ptr fs:[00000030h] 9_2_05225210
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05225210 mov eax, dword ptr fs:[00000030h] 9_2_05225210
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0522AA16 mov eax, dword ptr fs:[00000030h] 9_2_0522AA16
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0522AA16 mov eax, dword ptr fs:[00000030h] 9_2_0522AA16
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05243A1C mov eax, dword ptr fs:[00000030h] 9_2_05243A1C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0525A61C mov eax, dword ptr fs:[00000030h] 9_2_0525A61C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0525A61C mov eax, dword ptr fs:[00000030h] 9_2_0525A61C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052DB260 mov eax, dword ptr fs:[00000030h] 9_2_052DB260
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052DB260 mov eax, dword ptr fs:[00000030h] 9_2_052DB260
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F8A62 mov eax, dword ptr fs:[00000030h] 9_2_052F8A62
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0523766D mov eax, dword ptr fs:[00000030h] 9_2_0523766D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0524AE73 mov eax, dword ptr fs:[00000030h] 9_2_0524AE73
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0524AE73 mov eax, dword ptr fs:[00000030h] 9_2_0524AE73
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0524AE73 mov eax, dword ptr fs:[00000030h] 9_2_0524AE73
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0524AE73 mov eax, dword ptr fs:[00000030h] 9_2_0524AE73
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0524AE73 mov eax, dword ptr fs:[00000030h] 9_2_0524AE73
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0526927A mov eax, dword ptr fs:[00000030h] 9_2_0526927A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05229240 mov eax, dword ptr fs:[00000030h] 9_2_05229240
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05229240 mov eax, dword ptr fs:[00000030h] 9_2_05229240
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05229240 mov eax, dword ptr fs:[00000030h] 9_2_05229240
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05229240 mov eax, dword ptr fs:[00000030h] 9_2_05229240
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05237E41 mov eax, dword ptr fs:[00000030h] 9_2_05237E41
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05237E41 mov eax, dword ptr fs:[00000030h] 9_2_05237E41
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05237E41 mov eax, dword ptr fs:[00000030h] 9_2_05237E41
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05237E41 mov eax, dword ptr fs:[00000030h] 9_2_05237E41
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05237E41 mov eax, dword ptr fs:[00000030h] 9_2_05237E41
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05237E41 mov eax, dword ptr fs:[00000030h] 9_2_05237E41
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052B4257 mov eax, dword ptr fs:[00000030h] 9_2_052B4257
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052252A5 mov eax, dword ptr fs:[00000030h] 9_2_052252A5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052252A5 mov eax, dword ptr fs:[00000030h] 9_2_052252A5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052252A5 mov eax, dword ptr fs:[00000030h] 9_2_052252A5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052252A5 mov eax, dword ptr fs:[00000030h] 9_2_052252A5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052252A5 mov eax, dword ptr fs:[00000030h] 9_2_052252A5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F0EA5 mov eax, dword ptr fs:[00000030h] 9_2_052F0EA5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F0EA5 mov eax, dword ptr fs:[00000030h] 9_2_052F0EA5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F0EA5 mov eax, dword ptr fs:[00000030h] 9_2_052F0EA5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052A46A7 mov eax, dword ptr fs:[00000030h] 9_2_052A46A7
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0523AAB0 mov eax, dword ptr fs:[00000030h] 9_2_0523AAB0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0523AAB0 mov eax, dword ptr fs:[00000030h] 9_2_0523AAB0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0525FAB0 mov eax, dword ptr fs:[00000030h] 9_2_0525FAB0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052BFE87 mov eax, dword ptr fs:[00000030h] 9_2_052BFE87
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0525D294 mov eax, dword ptr fs:[00000030h] 9_2_0525D294
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0525D294 mov eax, dword ptr fs:[00000030h] 9_2_0525D294
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052376E2 mov eax, dword ptr fs:[00000030h] 9_2_052376E2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05252AE4 mov eax, dword ptr fs:[00000030h] 9_2_05252AE4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052516E0 mov ecx, dword ptr fs:[00000030h] 9_2_052516E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05268EC7 mov eax, dword ptr fs:[00000030h] 9_2_05268EC7
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052536CC mov eax, dword ptr fs:[00000030h] 9_2_052536CC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052DFEC0 mov eax, dword ptr fs:[00000030h] 9_2_052DFEC0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_05252ACB mov eax, dword ptr fs:[00000030h] 9_2_05252ACB
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_052F8ED6 mov eax, dword ptr fs:[00000030h] 9_2_052F8ED6
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Code function: 3_2_00409B40 LdrLoadDll, 3_2_00409B40
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 108.179.246.105 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.corlora.com
Source: C:\Windows\explorer.exe Network Connect: 23.227.38.74 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.thehauntdepot.com
Source: C:\Windows\explorer.exe Domain query: www.bellaalubo.com
Source: C:\Windows\explorer.exe Domain query: www.pastlinks.com
Source: C:\Windows\explorer.exe Network Connect: 35.246.6.109 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 54.85.93.188 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.jspagnier-graveur.com
Source: C:\Windows\explorer.exe Domain query: www.behiscalm.com
Source: C:\Windows\explorer.exe Domain query: www.productprinting.online
Source: C:\Windows\explorer.exe Domain query: www.miyonbuilding.com
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: 12B0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Memory written: C:\Users\user\Desktop\UaTmOE6yP9.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Thread register set: target process: 3440 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Thread register set: target process: 3440 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Process created: C:\Users\user\Desktop\UaTmOE6yP9.exe C:\Users\user\Desktop\UaTmOE6yP9.exe Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UaTmOE6yP9.exe' Jump to behavior
Source: UaTmOE6yP9.exe, 00000000.00000002.608713457.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.368759315.0000000000EE0000.00000002.00020000.sdmp, wscript.exe, 00000009.00000002.608369932.0000000003AB0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: UaTmOE6yP9.exe, 00000000.00000002.608713457.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.368759315.0000000000EE0000.00000002.00020000.sdmp, wscript.exe, 00000009.00000002.608369932.0000000003AB0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: UaTmOE6yP9.exe, 00000000.00000002.608713457.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.368759315.0000000000EE0000.00000002.00020000.sdmp, wscript.exe, 00000009.00000002.608369932.0000000003AB0000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: UaTmOE6yP9.exe, 00000000.00000002.608713457.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.368759315.0000000000EE0000.00000002.00020000.sdmp, wscript.exe, 00000009.00000002.608369932.0000000003AB0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Queries volume information: C:\Users\user\Desktop\UaTmOE6yP9.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 492896 Sample: UaTmOE6yP9 Startdate: 29/09/2021 Architecture: WINDOWS Score: 100 34 www.chinatowndeliver.com 2->34 36 chinatowndeliver.com 2->36 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 7 other signatures 2->46 11 UaTmOE6yP9.exe 2 2->11         started        signatures3 process4 signatures5 56 Tries to delay execution (extensive OutputDebugStringW loop) 11->56 58 Tries to detect virtualization through RDTSC time measurements 11->58 60 Injects a PE file into a foreign processes 11->60 62 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 11->62 14 UaTmOE6yP9.exe 11->14         started        process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 17 explorer.exe 14->17 injected process8 dnsIp9 28 productprinting.online 108.179.246.105, 49812, 80 UNIFIEDLAYER-AS-1US United States 17->28 30 shops.myshopify.com 23.227.38.74, 49817, 80 CLOUDFLARENETUS Canada 17->30 32 16 other IPs or domains 17->32 38 System process connects to network (likely due to code injection or exploit) 17->38 21 wscript.exe 17->21         started        signatures10 process11 signatures12 48 Self deletion via cmd delete 21->48 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
108.179.246.105
 productprinting.online United States
46606 UNIFIEDLAYER-AS-1US true
35.246.6.109
 td-balancer-euw2-6-109.wixdns.net United States
15169 GOOGLEUS false
54.85.93.188
 cdl-lb-1356093980.us-east-1.elb.amazonaws.com United States
14618 AMAZON-AESUS false
34.102.136.180
 behiscalm.com United States
15169 GOOGLEUS false
23.227.38.74
 shops.myshopify.com Canada
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
productprinting.online 108.179.246.105 true
td-balancer-euw2-6-109.wixdns.net 35.246.6.109 true
behiscalm.com 34.102.136.180 true
chinatowndeliver.com 34.102.136.180 true
shops.myshopify.com 23.227.38.74 true
cdl-lb-1356093980.us-east-1.elb.amazonaws.com 54.85.93.188 true
www.chinatowndeliver.com unknown unknown
www.corlora.com unknown unknown
www.jspagnier-graveur.com unknown unknown
www.thehauntdepot.com unknown unknown
www.bellaalubo.com unknown unknown
www.behiscalm.com unknown unknown
www.productprinting.online unknown unknown
www.miyonbuilding.com unknown unknown
www.pastlinks.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.productprinting.online/mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=dI0EVfu3O8PRZHJYFiskZOhLU8OYvItQe6Md7KpFhlubQ63bIpFTgfxbi1sf92w0hSX5JIFUxQ== true
  • Avira URL Cloud: safe
 unknown
www.simpeltattofor.men/mjyv/ true
  • Avira URL Cloud: malware
 low
http://www.behiscalm.com/mjyv/?0pK81=K9FJa1rwSUAAa7/ViuRfbodFPMpyTpIbchforJThhUgcBsFNcj++iNtzjC9b847wWXILaTLWiQ==&A6AlK=e0GlzbR8AB8XET3 false
  • Avira URL Cloud: safe
 unknown
http://www.chinatowndeliver.com/mjyv/?0pK81=XUhyKAoPsp+sS+2wc1lVw6UQrcGLXYJeNJI1ueZmTZNqKWlflngblX9CeHA9F+AScG6M63wGOw==&A6AlK=e0GlzbR8AB8XET3 false
  • Avira URL Cloud: safe
 unknown
http://www.jspagnier-graveur.com/mjyv/?0pK81=Th83CkuYiZ3yTy/NQYNDjmtPTEXY1rwCFz+4Jmb9PkUSuL5FI8psFzofsp4HlXm5aEcRz/p5bA==&A6AlK=e0GlzbR8AB8XET3 true
  • Avira URL Cloud: safe
 unknown
http://www.corlora.com/mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=FJb0UZ01VWieyk9Q9MfOW6tWVMxtPQ65AKmCznKsSr2tdhgz0LXvq/VY7gtgl/S7OsM4m26iBg== true
  • Avira URL Cloud: safe
 unknown
http://www.bellaalubo.com/mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=L63r4gynR7T+uFffjQ1lMOoDpS8QK6GZHdtzK1OvDTkBgsUpz0OkUj6/3F+1gpc5iCodVhQ8Dw== false
  • Avira URL Cloud: safe
 unknown