Source: 00000010.00000000.523957704.0000000072480000.00000040.00000001.sdmp |
Malware Configuration Extractor: FormBook {"C2 list": ["www.septemberstockevent200.com/ht08/"], "decoy": ["joye.club", "istanbulemlakgalerisi.online", "annikadaniel.love", "oooci.com", "curebase-test.com", "swisstradecenter.com", "hacticum.com", "centercodebase.com", "recbi56ni.com", "mmj0115.xyz", "sharpstead.com", "sprklbeauty.com", "progettogenesi.cloud", "dolinum.com", "amaroqadvisors.com", "traininig.com", "leewaysvcs.com", "nashhomesearch.com", "joy1263.com", "serkanyamac.com", "nursingprogramsforme.com", "huakf.com", "1w3.online", "watermountsteam.top", "tyralruutan.quest", "mattlambert.xyz", "xn--fiqs8sypgfujbl4a.xn--czru2d", "hfgoal.com", "587868.net", "noyoucantridemyonewheel.com", "riewesell.top", "expn.asia", "suplementarsas.com", "item154655544.com", "cdgdentists.com", "deboraverdian.com", "franquiciasexclusivas.tienda", "tminus-10.com", "psychoterapeuta-wroclaw.com", "coachingbywatson.com", "lknitti.net", "belenpison.agency", "facilitetec.com", "99077000.com", "thefitmog.com", "kinmanpowerwashing.com", "escueladelbuenamor.com", "getjoyce.net", "oilelm.com", "maikoufarm.com", "hespresso.net", "timothyschmallrealt.com", "knoxvilleraingutters.com", "roonkingagency.online", "trashwasher.com", "angyfoods.com", "yungbredda.com", "digipoint-entertainment.com", "shangduli.space", "kalaraskincare.com", "ktnsound.xyz", "miabellavita.com", "thenlpmentor.com", "marzhukov.com"]} |
Source: QUOTATION_doc.exe |
Virustotal: Detection: 29% |
Perma Link |
Source: QUOTATION_doc.exe |
ReversingLabs: Detection: 29% |
Source: Yara match |
File source: 00000010.00000000.523957704.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000000.523481465.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000000.598500416.0000000007B56000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000000.524496982.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000000.522931849.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Source: www.septemberstockevent200.com/ht08/ |
Virustotal: Detection: 7% |
Perma Link |
Source: C:\Users\Public\Libraries\Huptze\Huptze.exe |
Virustotal: Detection: 29% |
Perma Link |
Source: C:\Users\Public\Libraries\Huptze\Huptze.exe |
ReversingLabs: Detection: 29% |
Source: 16.0.mobsync.exe.72480000.2.unpack |
Avira: Label: TR/Crypt.ZPACK.Gen |
Source: 16.0.mobsync.exe.72480000.1.unpack |
Avira: Label: TR/Crypt.ZPACK.Gen |
Source: 16.0.mobsync.exe.72480000.3.unpack |
Avira: Label: TR/Crypt.ZPACK.Gen |
Source: 16.0.mobsync.exe.72480000.0.unpack |
Avira: Label: TR/Crypt.ZPACK.Gen |
Source: QUOTATION_doc.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI |
Source: Malware configuration extractor |
URLs: www.septemberstockevent200.com/ht08/ |
Source: explorer.exe, 00000011.00000000.560901848.000000000095C000.00000004.00000020.sdmp |
String found in binary or memory: http://www.autoitscript.com/autoit3/J |
Source: unknown |
DNS traffic detected: queries for: onedrive.live.com |
Source: Yara match |
File source: 00000010.00000000.523957704.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000000.523481465.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000000.598500416.0000000007B56000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000000.524496982.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000000.522931849.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Source: 00000010.00000000.523957704.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000010.00000000.523957704.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000010.00000000.523481465.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000010.00000000.523481465.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000011.00000000.598500416.0000000007B56000.00000040.00020000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000011.00000000.598500416.0000000007B56000.00000040.00020000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000010.00000000.524496982.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000010.00000000.524496982.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000010.00000000.522931849.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000010.00000000.522931849.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: initial sample |
Static PE information: Filename: QUOTATION_doc.exe |
Source: initial sample |
Static PE information: Filename: QUOTATION_doc.exe |
Source: QUOTATION_doc.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI |
Source: 00000011.00000000.624299247.000000000D4FD000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019 |
Source: 00000010.00000000.523957704.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000010.00000000.523957704.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000010.00000000.523481465.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000010.00000000.523481465.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000011.00000000.598500416.0000000007B56000.00000040.00020000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000011.00000000.598500416.0000000007B56000.00000040.00020000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000010.00000000.524496982.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000010.00000000.524496982.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000011.00000000.624322018.000000000D502000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019 |
Source: 00000011.00000000.550371526.000000000D4FD000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019 |
Source: 00000010.00000000.522931849.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000010.00000000.522931849.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: C:\Users\Public\Libraries\eztpuH.url, type: DROPPED |
Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: String function: 022F837C appears 90 times |
|
Source: C:\Users\Public\Libraries\Huptze\Huptze.exe |
Code function: String function: 0274A6A0 appears 96 times |
|
Source: C:\Users\Public\Libraries\Huptze\Huptze.exe |
Code function: String function: 0274837C appears 104 times |
|
Source: C:\Users\Public\Libraries\Huptze\Huptze.exe |
Code function: String function: 021FD424 appears 90 times |
|
Source: C:\Users\Public\Libraries\Huptze\Huptze.exe |
Code function: String function: 0274D424 appears 72 times |
|
Source: C:\Users\Public\Libraries\Huptze\Huptze.exe |
Code function: String function: 021F837C appears 120 times |
|
Source: QUOTATION_doc.exe |
Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST |
Source: Huptze.exe.0.dr |
Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Memory allocated: 72480000 page execute and read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Memory allocated: 72480000 page execute and read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Memory allocated: 72480000 page no access |
Jump to behavior |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Memory allocated: 72480000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Memory allocated: 72481000 page read and write |
Jump to behavior |
Source: QUOTATION_doc.exe |
Virustotal: Detection: 29% |
Source: QUOTATION_doc.exe |
ReversingLabs: Detection: 29% |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\QUOTATION_doc.exe 'C:\Users\user\Desktop\QUOTATION_doc.exe' |
|
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p |
|
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe |
|
Source: C:\Windows\explorer.exe |
Process created: C:\Users\Public\Libraries\Huptze\Huptze.exe 'C:\Users\Public\Libraries\Huptze\Huptze.exe' |
|
Source: C:\Windows\explorer.exe |
Process created: C:\Users\Public\Libraries\Huptze\Huptze.exe 'C:\Users\Public\Libraries\Huptze\Huptze.exe' |
|
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process created: C:\Users\Public\Libraries\Huptze\Huptze.exe 'C:\Users\Public\Libraries\Huptze\Huptze.exe' |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process created: C:\Users\Public\Libraries\Huptze\Huptze.exe 'C:\Users\Public\Libraries\Huptze\Huptze.exe' |
Jump to behavior |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\Huptzeullazkbrfuqvqdlxbsjktmnwu[1] |
Jump to behavior |
Source: classification engine |
Classification label: mal100.troj.evad.winEXE@8/3@4/0 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Huptze\Huptze.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Huptze\Huptze.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: QUOTATION_doc.exe |
Joe Sandbox Cloud Basic: Detection: clean Score: 0 |
Perma Link |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: QUOTATION_doc.exe |
Static file information: File size 1052672 > 1048576 |
Source: Yara match |
File source: 00000015.00000002.631255655.00000000021A0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000014.00000002.632108057.00000000026F0000.00000004.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: 0_3_022FA58E push eax; ret |
0_3_022FA5C0 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: 0_3_022FA58E push eax; ret |
0_3_022FA5C0 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: 0_3_022FA58E push eax; ret |
0_3_022FA5C0 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: 0_3_022FA58E push eax; ret |
0_3_022FA5C0 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: 0_3_022FA58E push eax; ret |
0_3_022FA5C0 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: 0_3_022FA58E push eax; ret |
0_3_022FA5C0 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: 0_3_022FA58E push eax; ret |
0_3_022FA5C0 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: 0_3_022FA58E push eax; ret |
0_3_022FA5C0 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: 0_3_022FA58E push eax; ret |
0_3_022FA5C0 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: 0_3_022FA58E push eax; ret |
0_3_022FA5C0 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: 0_3_022FA58E push eax; ret |
0_3_022FA5C0 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: 0_3_022FA58E push eax; ret |
0_3_022FA5C0 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: 0_3_022FA584 push eax; ret |
0_3_022FA5C0 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: 0_3_022FA584 push eax; ret |
0_3_022FA5C0 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: 0_3_022FA584 push eax; ret |
0_3_022FA5C0 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: 0_3_022FA584 push eax; ret |
0_3_022FA5C0 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: 0_3_022FA584 push eax; ret |
0_3_022FA5C0 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: 0_3_022FA584 push eax; ret |
0_3_022FA5C0 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: 0_3_022FA584 push eax; ret |
0_3_022FA5C0 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: 0_3_022FA584 push eax; ret |
0_3_022FA5C0 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: 0_3_022FA584 push eax; ret |
0_3_022FA5C0 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: 0_3_022FA584 push eax; ret |
0_3_022FA5C0 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: 0_3_022FA584 push eax; ret |
0_3_022FA5C0 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: 0_3_022FA584 push eax; ret |
0_3_022FA5C0 |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Huptze |
Jump to behavior |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Huptze |
Jump to behavior |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Registry key monitored for changes: HKEY_CURRENT_USER_Classes |
Jump to behavior |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\Libraries\Huptze\Huptze.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\Libraries\Huptze\Huptze.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mobsync.exe |
RDTSC instruction interceptor: First address: 0000000072488604 second address: 000000007248860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc |
Source: C:\Windows\SysWOW64\mobsync.exe |
RDTSC instruction interceptor: First address: 000000007248899E second address: 00000000724889A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc |
Source: explorer.exe, 00000011.00000000.546571356.0000000008430000.00000004.00000001.sdmp |
Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000 |
Source: explorer.exe, 00000011.00000000.601959319.00000000083E9000.00000004.00000001.sdmp |
Binary or memory string: VMware SATA CD00dRom0 |
Source: explorer.exe, 00000011.00000000.584670896.00000000062E0000.00000004.00000001.sdmp |
Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000011.00000000.586385186.0000000006414000.00000004.00000001.sdmp |
Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000011.00000000.601959319.00000000083E9000.00000004.00000001.sdmp |
Binary or memory string: VMware SATA CD00 |
Source: explorer.exe, 00000011.00000000.586385186.0000000006414000.00000004.00000001.sdmp |
Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000011.00000000.600240165.00000000082E2000.00000004.00000001.sdmp |
Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}> |
Source: explorer.exe, 00000011.00000000.549013567.0000000008678000.00000004.00000001.sdmp |
Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}1SPS0 |
Source: explorer.exe, 00000011.00000000.600240165.00000000082E2000.00000004.00000001.sdmp |
Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000 |
Source: explorer.exe, 00000011.00000000.546571356.0000000008430000.00000004.00000001.sdmp |
Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-; |
Source: Huptze.exe, 00000015.00000002.630029726.0000000000808000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: explorer.exe, 00000011.00000000.560901848.000000000095C000.00000004.00000020.sdmp |
Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Code function: 0_3_022F9EE0 LdrInitializeThunk, |
0_3_022F9EE0 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Memory written: C:\Windows\System32\svchost.exe base: 72480000 |
Jump to behavior |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Memory written: C:\Windows\System32\svchost.exe base: 2440000 |
Jump to behavior |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Memory written: C:\Windows\System32\svchost.exe base: 2450000 |
Jump to behavior |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Memory allocated: C:\Windows\System32\svchost.exe base: 72480000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Memory allocated: C:\Windows\System32\svchost.exe base: 2440000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Memory allocated: C:\Windows\System32\svchost.exe base: 2450000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Memory written: C:\Windows\System32\svchost.exe base: 72480000 value starts with: 4D5A |
Jump to behavior |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Thread created: C:\Windows\System32\svchost.exe EIP: 2450000 |
Jump to behavior |
Source: C:\Users\user\Desktop\QUOTATION_doc.exe |
Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p |
Jump to behavior |
Source: explorer.exe, 00000011.00000002.642961549.0000000000EE0000.00000002.00020000.sdmp, Huptze.exe, 00000014.00000002.631158026.0000000000E70000.00000002.00020000.sdmp, Huptze.exe, 00000015.00000002.630849928.0000000000D90000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: explorer.exe, 00000011.00000000.560363495.00000000008B8000.00000004.00000020.sdmp, Huptze.exe, 00000014.00000002.631158026.0000000000E70000.00000002.00020000.sdmp, Huptze.exe, 00000015.00000002.630849928.0000000000D90000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: explorer.exe, 00000011.00000002.642961549.0000000000EE0000.00000002.00020000.sdmp, Huptze.exe, 00000014.00000002.631158026.0000000000E70000.00000002.00020000.sdmp, Huptze.exe, 00000015.00000002.630849928.0000000000D90000.00000002.00020000.sdmp |
Binary or memory string: &Program Manager |
Source: explorer.exe, 00000011.00000002.642961549.0000000000EE0000.00000002.00020000.sdmp, Huptze.exe, 00000014.00000002.631158026.0000000000E70000.00000002.00020000.sdmp, Huptze.exe, 00000015.00000002.630849928.0000000000D90000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |
Source: Yara match |
File source: 00000010.00000000.523957704.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000000.523481465.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000000.598500416.0000000007B56000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000000.524496982.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000000.522931849.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000000.523957704.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000000.523481465.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000000.598500416.0000000007B56000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000000.524496982.0000000072480000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000000.522931849.0000000072480000.00000040.00000001.sdmp, type: MEMORY |