Windows Analysis Report TW_PURCHASE ORDER _BENTEX LTD_26201.exe

Overview

General Information

Sample Name: TW_PURCHASE ORDER _BENTEX LTD_26201.exe
Analysis ID: 510728
MD5: df979ba0a0557ff574d9ebaec0d3e0bb
SHA1: 9d6733cbc7a3a70bfb3be841aeb78e9dff6045f1
SHA256: 221f20319954181ff4d7b4edb299d7eb00c2a20bc1c6c3dff99d2374ae084000
Tags: exe
Infos:

Most interesting Screenshot:

Detection

AveMaria FormBook UACMe
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Tries to detect virtualization through RDTSC time measurements
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Increases the number of concurrent connection per server for Internet Explorer
Contains functionality to hide user accounts
Contains functionality to steal e-mail passwords
Contains functionality to steal Chrome passwords or cookies
Machine Learning detection for dropped file
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Contains functionality to create new users
Antivirus or Machine Learning detection for unpacked file
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Uses the system / local time for branch decision (may execute only at specific dates)
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to download and execute PE files
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and launch executables
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Avira: detection malicious, Label: HEUR/AGEN.1143694
Source: C:\Users\user\AppData\Roaming\ccwm.axjK.exe Avira: detection malicious, Label: HEUR/AGEN.1143694
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\ConsoleApp4[1].exe Avira: detection malicious, Label: HEUR/AGEN.1143694
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Avira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Avira: detection malicious, Label: HEUR/AGEN.1143694
Found malware configuration
Source: 00000010.00000002.529455325.0000000003CE1000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.christophebigot.com/pp1a/"], "decoy": ["ytwdpk.com", "1afs1f.com", "yougeshpal.com", "diabetologist.tips", "empregodonovomilenio.com", "ztransact.online", "doneforyoueventbrandingkit.com", "yl20215.top", "teashalu.xyz", "kpscreations.com", "hxs1688.com", "introtostudy.com", "theradicalsvisions.com", "trammtd.online", "navsecurity.online", "loit711.com", "rufly.link", "iwyaknfc.icu", "1bet11.net", "niguns.com", "digiad.site", "allthingsdivine.net", "dongiot.com", "burlakova.site", "vqjoi-lqybehuacg.xyz", "woundzip.com", "mircuitl.xyz", "motivatemommies.com", "brooklynmenssoccer.com", "lc497.xyz", "midnightspecialvintage.com", "hvmhhhn57.com", "gharka.online", "justindianthink.com", "cha-selockedhelp.com", "dmayanazcandles.com", "coloradoliving.info", "facebookarts.ca", "account-noreply11.info", "kungbron.com", "joaquinadesign.com", "bravowhiskeysupply.com", "thenapieragency.com", "eaglesfast.com", "theremodelpainter.com", "cosechedevosapere.com", "midlamdmortage.com", "pzzhub.com", "holistic-therapy-saito.com", "1031dealflow.com", "yasalkumarsiteleri.xyz", "contactat110.info", "gentakipci.store", "fridaytattoo.com", "kelseymummert.com", "zxlpgbps.com", "iloveourfreedom.com", "betterpros.net", "surabayamagazine.com", "nmszkq.com", "123movies00.xyz", "popheads.store", "customembroideredpatches.art", "bonoffrinvest.club"]}
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.28851bc.4.raw.unpack Malware Configuration Extractor: AveMaria {"C2 url": "papi1.ddns.net", "port": 10190}
Yara detected FormBook
Source: Yara match File source: 23.0.nFb.hufJF.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.nFb.hufJF.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.nFb.hufJF.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.nFb.hufJF.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.nFb.hufJF.exe.400000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.nFb.hufJF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.nFb.hufJF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.529455325.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.527560355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.529709529.0000000003F2A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.529773639.0000000003FC5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.555372397.0000000001090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.527936150.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.554984724.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Antivirus / Scanner detection for submitted sample
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe Avira: detected
Yara detected AveMaria stealer
Source: Yara match File source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.10d5a90.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3765d30.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.28851bc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3802950.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.288394c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1103178.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000003.385998454.00000000010D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.385786430.00000000010FB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.385968820.00000000010FB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.381359899.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.537453432.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.378951117.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.381739789.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.384356114.0000000003860000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.379672641.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.380967954.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.383728117.000000000277D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.386044956.000000000110E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.384010558.0000000002801000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.384156725.0000000003711000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.380363268.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.385813766.00000000010D9000.00000004.00000001.sdmp, type: MEMORY
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\ConsoleApp4[1].exe Virustotal: Detection: 47% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\ConsoleApp4[1].exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe ReversingLabs: Detection: 22%
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Roaming\ccwm.axjK.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe ReversingLabs: Detection: 50%
Machine Learning detection for sample
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\ccwm.axjK.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\ConsoleApp4[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.2.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.21.unpack Avira: Label: TR/Redcap.ghjpt
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.7.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.20.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 1.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3f0000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 15.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.2.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 23.0.nFb.hufJF.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.11.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 23.0.nFb.hufJF.exe.400000.14.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 15.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.0.unpack Avira: Label: TR/Redcap.ghjpt
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.6.unpack Avira: Label: TR/Redcap.ghjpt
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.17.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 23.0.nFb.hufJF.exe.400000.11.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.23.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.15.unpack Avira: Label: TR/Redcap.ghjpt
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.18.unpack Avira: Label: TR/Redcap.ghjpt
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3f0000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 23.2.nFb.hufJF.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.3.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.4.unpack Avira: Label: TR/Redcap.ghjpt
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.1.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.14.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.9.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.10.unpack Avira: Label: TR/Redcap.ghjpt
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.12.unpack Avira: Label: TR/Redcap.ghjpt
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.8.unpack Avira: Label: TR/Redcap.ghjpt
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.5.unpack Avira: Label: TR/Dropper.MSIL.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_0040CAFC CryptUnprotectData,LocalAlloc,LocalFree, 15_2_0040CAFC
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_0040CC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree, 15_2_0040CC54
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_0040A6C8 GetBinaryTypeW,CopyFileW,CryptReleaseContext,PathFileExistsW,GetPrivateProfileStringW, 15_2_0040A6C8
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_0040B15E lstrlenA,CryptStringToBinaryA,lstrcpyA, 15_2_0040B15E
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_0040CCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey, 15_2_0040CCB4
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_0040A632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW, 15_2_0040A632
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_0040CF58 LocalAlloc,BCryptDecrypt,LocalFree, 15_2_0040CF58

Exploits:

barindex
Yara detected UACMe UAC Bypass tool
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3878490.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1113180.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.289219c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.27b9c98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1113180.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3765d30.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.28851bc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3802950.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1113180.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.288394c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1103178.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000000.381012544.000000000054F000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.385786430.00000000010FB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.381396885.000000000054F000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.385968820.00000000010FB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.384356114.0000000003860000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.381767459.000000000054F000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.383728117.000000000277D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.386044956.000000000110E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.380409735.000000000054F000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.384010558.0000000002801000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.384156725.0000000003711000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.537642824.000000000054F000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TW_PURCHASE ORDER _BENTEX LTD_26201.exe PID: 7128, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TW_PURCHASE ORDER _BENTEX LTD_26201.exe PID: 3132, type: MEMORYSTR

Compliance:

barindex
Uses 32bit PE files
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.3:49785 version: TLS 1.2
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: nFb.hufJF.exe, 00000017.00000002.555703946.000000000171F000.00000040.00000001.sdmp
Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe
Source: Binary string: wntdll.pdb source: nFb.hufJF.exe
Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe, 0000000F.00000003.405290477.00000000044DE000.00000004.00000001.sdmp
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_0041002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW, 15_2_0041002B
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_00409DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 15_2_00409DF6
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_0040FF27 FindFirstFileW,FindNextFileW, 15_2_0040FF27

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 4x nop then pop ebx 23_2_00407B22

Networking:

barindex
Uses dynamic DNS services
Source: unknown DNS query: name: papi1.ddns.net
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: papi1.ddns.net
Source: Malware configuration extractor URLs: www.christophebigot.com/pp1a/
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /attachments/889839642097119317/902580421521473556/ConsoleApp4.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.discordapp.comConnection: Keep-Alive
Contains functionality to download and execute PE files
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_004027D3 URLDownloadToFileW,ShellExecuteW, 15_2_004027D3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.140.53.15 185.140.53.15
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49784 -> 185.140.53.15:10190
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe, 0000000F.00000003.393001119.0000000003B00000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/889839642097119317/902580421521473556/ConsoleApp4.exe
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe, 00000001.00000002.384010558.0000000002801000.00000004.00000001.sdmp, TW_PURCHASE ORDER _BENTEX LTD_26201.exe, 0000000F.00000000.381359899.0000000000400000.00000040.00000001.sdmp String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe, 0000000F.00000003.408196097.00000000044C1000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe, 0000000F.00000003.408196097.00000000044C1000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: unknown DNS traffic detected: queries for: papi1.ddns.net
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_0040562F setsockopt,recv,recv, 15_2_0040562F
Source: global traffic HTTP traffic detected: GET /attachments/889839642097119317/902580421521473556/ConsoleApp4.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.discordapp.comConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.3:49785 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_004089D5 GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx, 15_2_004089D5
Installs a raw input device (often for capturing keystrokes)
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe, 00000001.00000002.384010558.0000000002801000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 23.0.nFb.hufJF.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.nFb.hufJF.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.nFb.hufJF.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.nFb.hufJF.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.nFb.hufJF.exe.400000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.nFb.hufJF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.nFb.hufJF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.529455325.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.527560355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.529709529.0000000003F2A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.529773639.0000000003FC5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.555372397.0000000001090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.527936150.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.554984724.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Yara detected AveMaria stealer
Source: Yara match File source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.10d5a90.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3765d30.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.28851bc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3802950.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.288394c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1103178.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000003.385998454.00000000010D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.385786430.00000000010FB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.385968820.00000000010FB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.381359899.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.537453432.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.378951117.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.381739789.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.384356114.0000000003860000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.379672641.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.380967954.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.383728117.000000000277D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.386044956.000000000110E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.384010558.0000000002801000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.384156725.0000000003711000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.380363268.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.385813766.00000000010D9000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3878490.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1113180.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.289219c.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 23.0.nFb.hufJF.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 23.0.nFb.hufJF.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.27b9c98.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.10d5a90.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.10d5a90.6.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 23.0.nFb.hufJF.exe.400000.14.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 23.0.nFb.hufJF.exe.400000.14.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 15.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 15.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.12.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 23.0.nFb.hufJF.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 23.0.nFb.hufJF.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.18.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.18.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1113180.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.15.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.15.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 23.0.nFb.hufJF.exe.400000.14.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 23.0.nFb.hufJF.exe.400000.14.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.28851bc.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.28851bc.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.28851bc.4.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 23.0.nFb.hufJF.exe.400000.11.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 23.0.nFb.hufJF.exe.400000.11.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.18.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.18.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.18.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.15.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.15.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.15.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.21.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.21.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 23.2.nFb.hufJF.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 23.2.nFb.hufJF.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3802950.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3802950.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3802950.6.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 23.2.nFb.hufJF.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 23.2.nFb.hufJF.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1113180.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.288394c.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.288394c.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.288394c.5.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1103178.12.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1103178.12.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1103178.12.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 00000010.00000002.529455325.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.529455325.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000000.527560355.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000000.527560355.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.529709529.0000000003F2A000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.529709529.0000000003F2A000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.381359899.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000F.00000000.381359899.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 00000010.00000002.529773639.0000000003FC5000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.529773639.0000000003FC5000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.555372397.0000000001090000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.555372397.0000000001090000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.537453432.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000F.00000002.537453432.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 0000000F.00000000.378951117.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000F.00000000.378951117.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 0000000F.00000000.381739789.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000F.00000000.381739789.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 0000000F.00000000.379672641.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000F.00000000.379672641.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 00000017.00000000.527936150.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000000.527936150.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.380967954.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000F.00000000.380967954.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 00000017.00000002.554984724.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.554984724.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.380363268.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000F.00000000.380363268.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: TW_PURCHASE ORDER _BENTEX LTD_26201.exe
Executable has a suspicious name (potential lure to open the executable)
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe Static file information: Suspicious name
Detected potential crypto function
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 1_2_0259AF94 1_2_0259AF94
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 1_2_0259DA51 1_2_0259DA51
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 1_2_0259DA60 1_2_0259DA60
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049D1AA0 15_3_049D1AA0
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049942D0 15_3_049942D0
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049C6B50 15_3_049C6B50
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_0498BCD0 15_3_0498BCD0
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049904D0 15_3_049904D0
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_04986C00 15_3_04986C00
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049B45D0 15_3_049B45D0
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049F25EC 15_3_049F25EC
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_04986D30 15_3_04986D30
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_04981D30 15_3_04981D30
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049956B0 15_3_049956B0
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_04997E70 15_3_04997E70
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_04984660 15_3_04984660
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_04999730 15_3_04999730
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_04998720 15_3_04998720
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_04996010 15_3_04996010
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_0499C9C0 15_3_0499C9C0
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049A11E0 15_3_049A11E0
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049DB910 15_3_049DB910
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_0499D920 15_3_0499D920
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049CE170 15_3_049CE170
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049DD960 15_3_049DD960
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_04985AB0 15_3_04985AB0
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049DEB80 15_3_049DEB80
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_04992350 15_3_04992350
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_04995B40 15_3_04995B40
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_00411BF8 15_2_00411BF8
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Code function: 16_2_012E8E70 16_2_012E8E70
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Code function: 16_2_012E112B 16_2_012E112B
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Code function: 16_2_012E1110 16_2_012E1110
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Code function: 16_2_012E118D 16_2_012E118D
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Code function: 16_2_012E0DE0 16_2_012E0DE0
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Code function: 16_2_012E0DF0 16_2_012E0DF0
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Code function: 16_2_012E10A8 16_2_012E10A8
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Code function: 16_2_012E10F5 16_2_012E10F5
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Code function: 16_2_012E10DA 16_2_012E10DA
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_00401030 23_2_00401030
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0041E839 23_2_0041E839
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0041DBC0 23_2_0041DBC0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0041E3AC 23_2_0041E3AC
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_00402D87 23_2_00402D87
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_00402D90 23_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_00409E5D 23_2_00409E5D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_00409E60 23_2_00409E60
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0041EE03 23_2_0041EE03
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0041D6D7 23_2_0041D6D7
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_00402FB0 23_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01644120 23_2_01644120
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0163C1C0 23_2_0163C1C0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E1002 23_2_016E1002
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165701D 23_2_0165701D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E60F5 23_2_016E60F5
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016520A0 23_2_016520A0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016F20A8 23_2_016F20A8
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0163B090 23_2_0163B090
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01643360 23_2_01643360
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A309 23_2_0164A309
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E231B 23_2_016E231B
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016D23E3 23_2_016D23E3
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E03DA 23_2_016E03DA
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165138B 23_2_0165138B
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164B236 23_2_0164B236
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162C2C3 23_2_0162C2C3
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016EE2C5 23_2_016EE2C5
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016F22AE 23_2_016F22AE
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016F32A9 23_2_016F32A9
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0163D5E0 23_2_0163D5E0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016F25DD 23_2_016F25DD
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016565A0 23_2_016565A0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01652581 23_2_01652581
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016ED466 23_2_016ED466
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164B477 23_2_0164B477
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01642430 23_2_01642430
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0163841F 23_2_0163841F
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E4496 23_2_016E4496
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E67E2 23_2_016E67E2
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01629660 23_2_01629660
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01645600 23_2_01645600
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016ED616 23_2_016ED616
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016506C0 23_2_016506C0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162F900 23_2_0162F900
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01631915 23_2_01631915
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016499BF 23_2_016499BF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01642990 23_2_01642990
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016FE824 23_2_016FE824
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A830 23_2_0164A830
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01626800 23_2_01626800
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016288E0 23_2_016288E0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016F28EC 23_2_016F28EC
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016CCB4F 23_2_016CCB4F
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164AB40 23_2_0164AB40
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016F2B28 23_2_016F2B28
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01678BE8 23_2_01678BE8
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016EDBD2 23_2_016EDBD2
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165ABD8 23_2_0165ABD8
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165EBB0 23_2_0165EBB0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016CEB8A 23_2_016CEB8A
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164EB9A 23_2_0164EB9A
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E5A4F 23_2_016E5A4F
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016DFA2B 23_2_016DFA2B
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E4AEF 23_2_016E4AEF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01642D50 23_2_01642D50
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016F1D55 23_2_016F1D55
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01620D20 23_2_01620D20
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016F2D07 23_2_016F2D07
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E2D82 23_2_016E2D82
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016ECC77 23_2_016ECC77
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01634CEC 23_2_01634CEC
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01654CD4 23_2_01654CD4
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162CFFF 23_2_0162CFFF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016F1FF1 23_2_016F1FF1
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016FDFCE 23_2_016FDFCE
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016AAE60 23_2_016AAE60
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01646E30 23_2_01646E30
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016F2EF7 23_2_016F2EF7
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016D1EB6 23_2_016D1EB6
PE file contains strange resources
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ConsoleApp4[1].exe.15.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ConsoleApp4[1].exe.15.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ConsoleApp4[1].exe.15.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ccwm.axjK.exe.15.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ccwm.axjK.exe.15.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ccwm.axjK.exe.15.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: nFb.hufJF.exe.15.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: nFb.hufJF.exe.15.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: nFb.hufJF.exe.15.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: nFb.hufJF.exe.16.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: nFb.hufJF.exe.16.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: nFb.hufJF.exe.16.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Uses 32bit PE files
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Yara signature match
Source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1103178.12.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3878490.10.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3878490.10.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1113180.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1113180.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.289219c.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.289219c.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 23.0.nFb.hufJF.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 23.0.nFb.hufJF.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.27b9c98.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.27b9c98.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.10d5a90.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.10d5a90.6.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 23.0.nFb.hufJF.exe.400000.14.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 23.0.nFb.hufJF.exe.400000.14.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.12.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.12.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 23.0.nFb.hufJF.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 23.0.nFb.hufJF.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.18.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.18.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1113180.0.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1113180.0.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.15.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.15.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 23.0.nFb.hufJF.exe.400000.14.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 23.0.nFb.hufJF.exe.400000.14.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3765d30.8.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.28851bc.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.28851bc.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.28851bc.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.28851bc.4.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 23.0.nFb.hufJF.exe.400000.11.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 23.0.nFb.hufJF.exe.400000.11.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.18.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.18.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.18.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.18.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.15.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.15.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.15.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.15.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.21.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.21.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 23.2.nFb.hufJF.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 23.2.nFb.hufJF.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3802950.6.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3802950.6.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3802950.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3802950.6.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 23.2.nFb.hufJF.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 23.2.nFb.hufJF.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1113180.9.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1113180.9.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.288394c.5.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.288394c.5.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.288394c.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.288394c.5.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1139a9f.11.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1103178.12.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1103178.12.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1103178.12.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1103178.12.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1103178.12.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000002.529455325.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.529455325.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.381012544.000000000054F000.00000040.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000017.00000000.527560355.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000000.527560355.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000003.385786430.00000000010FB000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000F.00000000.381396885.000000000054F000.00000040.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000010.00000002.529709529.0000000003F2A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.529709529.0000000003F2A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000003.385968820.00000000010FB000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000F.00000000.381359899.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000000.381359899.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000002.529773639.0000000003FC5000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.529773639.0000000003FC5000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.555372397.0000000001090000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.555372397.0000000001090000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.537453432.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000002.537453432.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000000.378951117.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000000.378951117.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000000.381739789.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000000.381739789.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000001.00000002.384356114.0000000003860000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000F.00000000.381767459.000000000054F000.00000040.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000F.00000000.379672641.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000000.379672641.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000017.00000000.527936150.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000000.527936150.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.380967954.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000000.380967954.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000001.00000002.383728117.000000000277D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000F.00000003.386044956.000000000110E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000F.00000000.380409735.000000000054F000.00000040.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000001.00000002.384010558.0000000002801000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000017.00000002.554984724.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.554984724.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.384156725.0000000003711000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000F.00000000.380363268.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000000.380363268.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000002.537642824.000000000054F000.00000040.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: String function: 016B5720 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: String function: 0162B150 appears 177 times
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: String function: 016A5510 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: String function: 0167D08C appears 55 times
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: String function: 004035E5 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: String function: 00410969 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: String function: 04985680 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: String function: 049862B0 appears 105 times
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: String function: 049858A0 appears 105 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0041A360 NtCreateFile, 23_2_0041A360
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0041A410 NtReadFile, 23_2_0041A410
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0041A490 NtClose, 23_2_0041A490
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0041A540 NtAllocateVirtualMemory, 23_2_0041A540
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0041A35B NtCreateFile, 23_2_0041A35B
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0041A40C NtReadFile, 23_2_0041A40C
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0041A48A NtClose, 23_2_0041A48A
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0041A53B NtAllocateVirtualMemory, 23_2_0041A53B
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016695D0 NtClose,LdrInitializeThunk, 23_2_016695D0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01669780 NtMapViewOfSection,LdrInitializeThunk, 23_2_01669780
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01669660 NtAllocateVirtualMemory,LdrInitializeThunk, 23_2_01669660
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016696E0 NtFreeVirtualMemory,LdrInitializeThunk, 23_2_016696E0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01669910 NtAdjustPrivilegesToken,LdrInitializeThunk, 23_2_01669910
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016699A0 NtCreateSection,LdrInitializeThunk, 23_2_016699A0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01669860 NtQuerySystemInformation,LdrInitializeThunk, 23_2_01669860
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0166B040 NtSuspendThread, 23_2_0166B040
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0166A3B0 NtGetContextThread, 23_2_0166A3B0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01669560 NtWriteFile, 23_2_01669560
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01669540 NtReadFile, 23_2_01669540
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01669520 NtWaitForSingleObject, 23_2_01669520
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016695F0 NtQueryInformationFile, 23_2_016695F0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01669760 NtOpenProcess, 23_2_01669760
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01669770 NtSetInformationFile, 23_2_01669770
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0166A770 NtOpenThread, 23_2_0166A770
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01669730 NtQueryVirtualMemory, 23_2_01669730
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01669710 NtQueryInformationToken, 23_2_01669710
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0166A710 NtOpenProcessToken, 23_2_0166A710
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016697A0 NtUnmapViewOfSection, 23_2_016697A0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01669670 NtQueryInformationProcess, 23_2_01669670
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01669650 NtQueryValueKey, 23_2_01669650
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01669610 NtEnumerateValueKey, 23_2_01669610
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016696D0 NtCreateKey, 23_2_016696D0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01669950 NtQueueApcThread, 23_2_01669950
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016699D0 NtCreateProcessEx, 23_2_016699D0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01669840 NtDelayExecution, 23_2_01669840
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01669820 NtEnumerateKey, 23_2_01669820
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016698F0 NtReadVirtualMemory, 23_2_016698F0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016698A0 NtWriteVirtualMemory, 23_2_016698A0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01669B00 NtSetValueKey, 23_2_01669B00
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01669A50 NtCreateFile, 23_2_01669A50
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01669A20 NtResumeThread, 23_2_01669A20
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01669A00 NtProtectVirtualMemory, 23_2_01669A00
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01669A10 NtQuerySection, 23_2_01669A10
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01669A80 NtOpenDirectoryObject, 23_2_01669A80
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0166AD30 NtSetContextThread, 23_2_0166AD30
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01669FE0 NtCreateMutant, 23_2_01669FE0
Sample file is different than original file name gathered from version info
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe, 00000001.00000002.382717951.0000000000444000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameNew.exe8 vs TW_PURCHASE ORDER _BENTEX LTD_26201.exe
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe, 00000001.00000002.383910719.00000000027CD000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameclrjit.dllT vs TW_PURCHASE ORDER _BENTEX LTD_26201.exe
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe, 00000001.00000002.383910719.00000000027CD000.00000004.00000001.sdmp Binary or memory string: OriginalFilename vs TW_PURCHASE ORDER _BENTEX LTD_26201.exe
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe, 00000001.00000002.384903817.00000000057E0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameZfvdpxph.dll" vs TW_PURCHASE ORDER _BENTEX LTD_26201.exe
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe, 0000000F.00000000.380551654.0000000000C34000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameNew.exe8 vs TW_PURCHASE ORDER _BENTEX LTD_26201.exe
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe Binary or memory string: OriginalFilenameNew.exe8 vs TW_PURCHASE ORDER _BENTEX LTD_26201.exe
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ConsoleApp4[1].exe.15.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ccwm.axjK.exe.15.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: nFb.hufJF.exe.15.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: nFb.hufJF.exe.16.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TW_PURCHASE ORDER _BENTEX LTD_26201.exe.log Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.spyw.expl.evad.winEXE@9/10@2/2
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_04988C40 GetLastError,GetVersionExW,FormatMessageW,FormatMessageA,_free,LocalFree,_free, 15_3_04988C40
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_0040D49C OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 15_2_0040D49C
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_004130B3 LoadResource,SizeofResource,LockResource,GetTempPathA,GetTempPathA,lstrcatA,lstrcatA,GetTempPathA,lstrcatA,CreateFileA,WriteFile,CloseHandle,wsprintfA,ShellExecuteExA, 15_2_004130B3
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe File created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe File read: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe 'C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe'
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process created: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process created: C:\Users\user\AppData\Roaming\nFb.hufJF.exe 'C:\Users\user\AppData\Roaming\nFb.hufJF.exe'
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process created: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process created: C:\Users\user\AppData\Roaming\ccwm.axjK.exe 'C:\Users\user\AppData\Roaming\ccwm.axjK.exe'
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process created: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process created: C:\Users\user\AppData\Roaming\nFb.hufJF.exe 'C:\Users\user\AppData\Roaming\nFb.hufJF.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process created: C:\Users\user\AppData\Roaming\ccwm.axjK.exe 'C:\Users\user\AppData\Roaming\ccwm.axjK.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process created: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_0040F619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges, 15_2_0040F619
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe File created: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_0040F80E CoInitializeSecurity,CoInitialize,CoCreateInstance,VariantInit, 15_2_0040F80E
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049894E0 GetVersionExW,MultiByteToWideChar,MultiByteToWideChar,_malloc,MultiByteToWideChar,_free,GetVersionExW,GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free, 15_3_049894E0
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe, 0000000F.00000003.405290477.00000000044DE000.00000004.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ccwm.axjK.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_004120B8 RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 15_2_004120B8
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: nFb.hufJF.exe, 00000017.00000002.555703946.000000000171F000.00000040.00000001.sdmp
Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe
Source: Binary string: wntdll.pdb source: nFb.hufJF.exe
Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe, 0000000F.00000003.405290477.00000000044DE000.00000004.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe, New.Filter/Registry.cs .Net Code: CalcRegistry System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1.dr, New.Filter/Registry.cs .Net Code: CalcRegistry System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3f0000.0.unpack, New.Filter/Registry.cs .Net Code: CalcRegistry System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3f0000.0.unpack, New.Filter/Registry.cs .Net Code: CalcRegistry System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: ConsoleApp4[1].exe.15.dr, Program.cs .Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: ccwm.axjK.exe.15.dr, Program.cs .Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: nFb.hufJF.exe.15.dr, Program.cs .Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.2.unpack, New.Filter/Registry.cs .Net Code: CalcRegistry System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.7.unpack, New.Filter/Registry.cs .Net Code: CalcRegistry System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.20.unpack, New.Filter/Registry.cs .Net Code: CalcRegistry System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.2.unpack, New.Filter/Registry.cs .Net Code: CalcRegistry System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.11.unpack, New.Filter/Registry.cs .Net Code: CalcRegistry System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.0.unpack, New.Filter/Registry.cs .Net Code: CalcRegistry System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.17.unpack, New.Filter/Registry.cs .Net Code: CalcRegistry System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.23.unpack, New.Filter/Registry.cs .Net Code: CalcRegistry System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.3.unpack, New.Filter/Registry.cs .Net Code: CalcRegistry System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.1.unpack, New.Filter/Registry.cs .Net Code: CalcRegistry System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.14.unpack, New.Filter/Registry.cs .Net Code: CalcRegistry System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.9.unpack, New.Filter/Registry.cs .Net Code: CalcRegistry System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.be0000.5.unpack, New.Filter/Registry.cs .Net Code: CalcRegistry System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: nFb.hufJF.exe.16.dr, Program.cs .Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.nFb.hufJF.exe.970000.4.unpack, Program.cs .Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.nFb.hufJF.exe.970000.2.unpack, Program.cs .Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.nFb.hufJF.exe.970000.6.unpack, Program.cs .Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.nFb.hufJF.exe.970000.0.unpack, Program.cs .Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.nFb.hufJF.exe.970000.0.unpack, Program.cs .Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.0.nFb.hufJF.exe.b50000.2.unpack, Program.cs .Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.0.nFb.hufJF.exe.b50000.6.unpack, Program.cs .Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.0.nFb.hufJF.exe.b50000.4.unpack, Program.cs .Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.2.nFb.hufJF.exe.b50000.1.unpack, Program.cs .Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.0.nFb.hufJF.exe.b50000.9.unpack, Program.cs .Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.0.nFb.hufJF.exe.b50000.0.unpack, Program.cs .Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.0.nFb.hufJF.exe.b50000.15.unpack, Program.cs .Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.0.nFb.hufJF.exe.b50000.12.unpack, Program.cs .Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 24.0.ccwm.axjK.exe.220000.6.unpack, Program.cs .Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 24.2.ccwm.axjK.exe.220000.0.unpack, Program.cs .Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 24.0.ccwm.axjK.exe.220000.0.unpack, Program.cs .Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 24.0.ccwm.axjK.exe.220000.4.unpack, Program.cs .Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 24.0.ccwm.axjK.exe.220000.2.unpack, Program.cs .Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 1_2_02594020 push ebx; ret 1_2_02594022
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 1_2_025940D0 push ebx; ret 1_2_025940D2
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 1_2_025940F1 push ebx; ret 1_2_025940F2
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 1_2_025941E3 push ebx; ret 1_2_025941EA
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 1_2_02596790 push esp; ret 1_2_02596791
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 1_2_02594E28 push esi; ret 1_2_02594E2A
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 1_2_02596E80 push 686804C3h; ret 1_2_02596E86
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 1_2_0259B2C8 pushfd ; ret 1_2_0259B2CA
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 1_2_0259F80B pushfd ; iretd 1_2_0259F839
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 1_2_02593E43 push eax; ret 1_2_02593E4A
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 1_2_02593EF1 push edx; ret 1_2_02593EF2
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 1_2_02593F07 push edx; ret 1_2_02593F1A
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 1_2_02593F39 push ebx; ret 1_2_02593F3A
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 1_2_02593F3B push edx; ret 1_2_02593F42
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049E8D05 push ecx; ret 15_3_049E8D18
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_00401190 push eax; ret 15_2_004011A4
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_00401190 push eax; ret 15_2_004011CC
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_004144B1 push ebp; retf 15_2_00414564
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_00414550 push ebp; retf 15_2_00414564
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Code function: 16_2_012E416B push edi; iretd 16_2_012E416E
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Code function: 16_2_053159A0 pushfd ; retf 16_2_053159A1
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_00408191 push 4ABAB799h; ret 23_2_0040819F
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0040E357 push ecx; ret 23_2_0040E358
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_00417B2B pushfd ; ret 23_2_00417B2C
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0041D4B5 push eax; ret 23_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0041D56C push eax; ret 23_2_0041D572
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0041D502 push eax; ret 23_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0041D50B push eax; ret 23_2_0041D572
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0041D617 push ebp; ret 23_2_0041D6D6
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0041BFC7 push es; ret 23_2_0041BFCA
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0040AFA2 push ebx; ret 23_2_0040AFA8
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049E981B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 15_3_049E981B
Binary contains a suspicious time stamp
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe Static PE information: 0x82459DE7 [Tue Apr 5 07:14:47 2039 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.98302948624
Source: initial sample Static PE information: section name: .text entropy: 7.98302948624
Source: initial sample Static PE information: section name: .text entropy: 7.98658747518
Source: initial sample Static PE information: section name: .text entropy: 7.98658747518
Source: initial sample Static PE information: section name: .text entropy: 7.98658747518
Source: initial sample Static PE information: section name: .text entropy: 7.98658747518

Persistence and Installation Behavior:

barindex
Contains functionality to create new users
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_0040D418 NetUserAdd,NetLocalGroupAddMembers, 15_2_0040D418
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe File created: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe File created: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\ConsoleApp4[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe File created: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe File created: C:\Users\user\AppData\Roaming\ccwm.axjK.exe Jump to dropped file
Contains functionality to download and launch executables
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_004027D3 URLDownloadToFileW,ShellExecuteW, 15_2_004027D3
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_0040AC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, 15_2_0040AC0A
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_0040A6C8 GetBinaryTypeW,CopyFileW,CryptReleaseContext,PathFileExistsW,GetPrivateProfileStringW, 15_2_0040A6C8
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_0040D508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 15_2_0040D508

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe File opened: C:\Users\user\Desktop\:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to hide user accounts
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe, 00000001.00000002.384010558.0000000002801000.00000004.00000001.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe, 00000001.00000002.384010558.0000000002801000.00000004.00000001.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe, 0000000F.00000000.381359899.0000000000400000.00000040.00000001.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ccwm.axjK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ccwm.axjK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ccwm.axjK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ccwm.axjK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ccwm.axjK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ccwm.axjK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe TID: 4020 Thread sleep count: 5443 > 30 Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe TID: 4020 Thread sleep time: -54430s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe TID: 5528 Thread sleep count: 360 > 30 Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe TID: 6236 Thread sleep count: 40 > 30 Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe TID: 5272 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe TID: 4648 Thread sleep count: 60 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe TID: 6280 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe TID: 6280 Thread sleep time: -34000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe TID: 6472 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Roaming\ccwm.axjK.exe Last function: Thread delayed
Contains functionality to enumerate running services
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW, 15_2_0040DA5B
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049897E0 GetSystemTime followed by cmp: cmp edx, 04h and CTI: jc 0498983Bh 15_3_049897E0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Window / User API: threadDelayed 5443 Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Window / User API: threadDelayed 360 Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_00409AB0 rdtsc 23_2_00409AB0
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_0041002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW, 15_2_0041002B
Source: explorer.exe, 00000019.00000000.536073678.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000019.00000002.550268337.0000000008778000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000019.00000000.536073678.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000019.00000000.534124967.00000000067C2000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000019.00000000.534124967.00000000067C2000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 00000019.00000000.536073678.00000000086C9000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_04989970 GetSystemInfo, 15_3_04989970
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_00409DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 15_2_00409DF6
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_0040FF27 FindFirstFileW,FindNextFileW, 15_2_0040FF27

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049E981B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 15_3_049E981B
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_0041094E mov eax, dword ptr fs:[00000030h] 15_2_0041094E
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_00419172 mov eax, dword ptr fs:[00000030h] 15_2_00419172
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_00410619 mov eax, dword ptr fs:[00000030h] 15_2_00410619
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_00410620 mov eax, dword ptr fs:[00000030h] 15_2_00410620
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162B171 mov eax, dword ptr fs:[00000030h] 23_2_0162B171
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162B171 mov eax, dword ptr fs:[00000030h] 23_2_0162B171
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A714D mov eax, dword ptr fs:[00000030h] 23_2_016A714D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A714D mov eax, dword ptr fs:[00000030h] 23_2_016A714D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01644120 mov eax, dword ptr fs:[00000030h] 23_2_01644120
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01644120 mov eax, dword ptr fs:[00000030h] 23_2_01644120
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01644120 mov eax, dword ptr fs:[00000030h] 23_2_01644120
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01644120 mov eax, dword ptr fs:[00000030h] 23_2_01644120
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01644120 mov ecx, dword ptr fs:[00000030h] 23_2_01644120
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01623138 mov ecx, dword ptr fs:[00000030h] 23_2_01623138
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165513A mov eax, dword ptr fs:[00000030h] 23_2_0165513A
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165513A mov eax, dword ptr fs:[00000030h] 23_2_0165513A
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01629100 mov eax, dword ptr fs:[00000030h] 23_2_01629100
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01629100 mov eax, dword ptr fs:[00000030h] 23_2_01629100
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01629100 mov eax, dword ptr fs:[00000030h] 23_2_01629100
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01630100 mov eax, dword ptr fs:[00000030h] 23_2_01630100
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01630100 mov eax, dword ptr fs:[00000030h] 23_2_01630100
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01630100 mov eax, dword ptr fs:[00000030h] 23_2_01630100
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016231E0 mov eax, dword ptr fs:[00000030h] 23_2_016231E0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016B41E8 mov eax, dword ptr fs:[00000030h] 23_2_016B41E8
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162B1E1 mov eax, dword ptr fs:[00000030h] 23_2_0162B1E1
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162B1E1 mov eax, dword ptr fs:[00000030h] 23_2_0162B1E1
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162B1E1 mov eax, dword ptr fs:[00000030h] 23_2_0162B1E1
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164D1EF mov eax, dword ptr fs:[00000030h] 23_2_0164D1EF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016BD1F9 mov eax, dword ptr fs:[00000030h] 23_2_016BD1F9
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0163C1C0 mov eax, dword ptr fs:[00000030h] 23_2_0163C1C0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E31DC mov eax, dword ptr fs:[00000030h] 23_2_016E31DC
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E31DC mov eax, dword ptr fs:[00000030h] 23_2_016E31DC
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E31DC mov eax, dword ptr fs:[00000030h] 23_2_016E31DC
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E31DC mov eax, dword ptr fs:[00000030h] 23_2_016E31DC
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E31DC mov eax, dword ptr fs:[00000030h] 23_2_016E31DC
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E31DC mov eax, dword ptr fs:[00000030h] 23_2_016E31DC
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E31DC mov eax, dword ptr fs:[00000030h] 23_2_016E31DC
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E31DC mov ecx, dword ptr fs:[00000030h] 23_2_016E31DC
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E31DC mov ecx, dword ptr fs:[00000030h] 23_2_016E31DC
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E31DC mov eax, dword ptr fs:[00000030h] 23_2_016E31DC
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E31DC mov eax, dword ptr fs:[00000030h] 23_2_016E31DC
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E31DC mov eax, dword ptr fs:[00000030h] 23_2_016E31DC
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E31DC mov eax, dword ptr fs:[00000030h] 23_2_016E31DC
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016361A7 mov eax, dword ptr fs:[00000030h] 23_2_016361A7
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016361A7 mov eax, dword ptr fs:[00000030h] 23_2_016361A7
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016361A7 mov eax, dword ptr fs:[00000030h] 23_2_016361A7
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016361A7 mov eax, dword ptr fs:[00000030h] 23_2_016361A7
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016561A0 mov eax, dword ptr fs:[00000030h] 23_2_016561A0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016561A0 mov eax, dword ptr fs:[00000030h] 23_2_016561A0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A51BE mov eax, dword ptr fs:[00000030h] 23_2_016A51BE
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A51BE mov eax, dword ptr fs:[00000030h] 23_2_016A51BE
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A51BE mov eax, dword ptr fs:[00000030h] 23_2_016A51BE
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A51BE mov eax, dword ptr fs:[00000030h] 23_2_016A51BE
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016FF1B5 mov eax, dword ptr fs:[00000030h] 23_2_016FF1B5
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016FF1B5 mov eax, dword ptr fs:[00000030h] 23_2_016FF1B5
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165A185 mov eax, dword ptr fs:[00000030h] 23_2_0165A185
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164C182 mov eax, dword ptr fs:[00000030h] 23_2_0164C182
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016EA189 mov eax, dword ptr fs:[00000030h] 23_2_016EA189
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016EA189 mov ecx, dword ptr fs:[00000030h] 23_2_016EA189
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01628190 mov ecx, dword ptr fs:[00000030h] 23_2_01628190
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01654190 mov eax, dword ptr fs:[00000030h] 23_2_01654190
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162519E mov eax, dword ptr fs:[00000030h] 23_2_0162519E
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162519E mov ecx, dword ptr fs:[00000030h] 23_2_0162519E
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016F1074 mov eax, dword ptr fs:[00000030h] 23_2_016F1074
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E2073 mov eax, dword ptr fs:[00000030h] 23_2_016E2073
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01625050 mov eax, dword ptr fs:[00000030h] 23_2_01625050
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01625050 mov eax, dword ptr fs:[00000030h] 23_2_01625050
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01625050 mov eax, dword ptr fs:[00000030h] 23_2_01625050
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01640050 mov eax, dword ptr fs:[00000030h] 23_2_01640050
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01640050 mov eax, dword ptr fs:[00000030h] 23_2_01640050
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01627057 mov eax, dword ptr fs:[00000030h] 23_2_01627057
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01654020 mov edi, dword ptr fs:[00000030h] 23_2_01654020
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165002D mov eax, dword ptr fs:[00000030h] 23_2_0165002D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165002D mov eax, dword ptr fs:[00000030h] 23_2_0165002D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165002D mov eax, dword ptr fs:[00000030h] 23_2_0165002D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165002D mov eax, dword ptr fs:[00000030h] 23_2_0165002D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165002D mov eax, dword ptr fs:[00000030h] 23_2_0165002D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0163B02A mov eax, dword ptr fs:[00000030h] 23_2_0163B02A
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0163B02A mov eax, dword ptr fs:[00000030h] 23_2_0163B02A
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0163B02A mov eax, dword ptr fs:[00000030h] 23_2_0163B02A
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0163B02A mov eax, dword ptr fs:[00000030h] 23_2_0163B02A
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016B3019 mov eax, dword ptr fs:[00000030h] 23_2_016B3019
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165701D mov eax, dword ptr fs:[00000030h] 23_2_0165701D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165701D mov eax, dword ptr fs:[00000030h] 23_2_0165701D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165701D mov eax, dword ptr fs:[00000030h] 23_2_0165701D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165701D mov eax, dword ptr fs:[00000030h] 23_2_0165701D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165701D mov eax, dword ptr fs:[00000030h] 23_2_0165701D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165701D mov eax, dword ptr fs:[00000030h] 23_2_0165701D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016F4015 mov eax, dword ptr fs:[00000030h] 23_2_016F4015
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016F4015 mov eax, dword ptr fs:[00000030h] 23_2_016F4015
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A7016 mov eax, dword ptr fs:[00000030h] 23_2_016A7016
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A7016 mov eax, dword ptr fs:[00000030h] 23_2_016A7016
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A7016 mov eax, dword ptr fs:[00000030h] 23_2_016A7016
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016240E1 mov eax, dword ptr fs:[00000030h] 23_2_016240E1
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016240E1 mov eax, dword ptr fs:[00000030h] 23_2_016240E1
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016240E1 mov eax, dword ptr fs:[00000030h] 23_2_016240E1
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E60F5 mov eax, dword ptr fs:[00000030h] 23_2_016E60F5
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E60F5 mov eax, dword ptr fs:[00000030h] 23_2_016E60F5
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E60F5 mov eax, dword ptr fs:[00000030h] 23_2_016E60F5
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E60F5 mov eax, dword ptr fs:[00000030h] 23_2_016E60F5
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016270C0 mov eax, dword ptr fs:[00000030h] 23_2_016270C0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016270C0 mov eax, dword ptr fs:[00000030h] 23_2_016270C0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016EB0C7 mov eax, dword ptr fs:[00000030h] 23_2_016EB0C7
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016EB0C7 mov eax, dword ptr fs:[00000030h] 23_2_016EB0C7
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016520A0 mov eax, dword ptr fs:[00000030h] 23_2_016520A0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016520A0 mov eax, dword ptr fs:[00000030h] 23_2_016520A0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016520A0 mov eax, dword ptr fs:[00000030h] 23_2_016520A0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016520A0 mov eax, dword ptr fs:[00000030h] 23_2_016520A0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016520A0 mov eax, dword ptr fs:[00000030h] 23_2_016520A0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016520A0 mov eax, dword ptr fs:[00000030h] 23_2_016520A0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016690AF mov eax, dword ptr fs:[00000030h] 23_2_016690AF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165F0BF mov ecx, dword ptr fs:[00000030h] 23_2_0165F0BF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165F0BF mov eax, dword ptr fs:[00000030h] 23_2_0165F0BF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165F0BF mov eax, dword ptr fs:[00000030h] 23_2_0165F0BF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01629080 mov eax, dword ptr fs:[00000030h] 23_2_01629080
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162B080 mov eax, dword ptr fs:[00000030h] 23_2_0162B080
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016B6365 mov eax, dword ptr fs:[00000030h] 23_2_016B6365
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016B6365 mov eax, dword ptr fs:[00000030h] 23_2_016B6365
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016B6365 mov eax, dword ptr fs:[00000030h] 23_2_016B6365
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0163F370 mov eax, dword ptr fs:[00000030h] 23_2_0163F370
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0163F370 mov eax, dword ptr fs:[00000030h] 23_2_0163F370
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0163F370 mov eax, dword ptr fs:[00000030h] 23_2_0163F370
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162F358 mov eax, dword ptr fs:[00000030h] 23_2_0162F358
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016DE33D mov eax, dword ptr fs:[00000030h] 23_2_016DE33D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A309 mov eax, dword ptr fs:[00000030h] 23_2_0164A309
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A309 mov eax, dword ptr fs:[00000030h] 23_2_0164A309
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A309 mov eax, dword ptr fs:[00000030h] 23_2_0164A309
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A309 mov eax, dword ptr fs:[00000030h] 23_2_0164A309
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A309 mov eax, dword ptr fs:[00000030h] 23_2_0164A309
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A309 mov eax, dword ptr fs:[00000030h] 23_2_0164A309
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A309 mov eax, dword ptr fs:[00000030h] 23_2_0164A309
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A309 mov eax, dword ptr fs:[00000030h] 23_2_0164A309
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A309 mov eax, dword ptr fs:[00000030h] 23_2_0164A309
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A309 mov eax, dword ptr fs:[00000030h] 23_2_0164A309
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A309 mov eax, dword ptr fs:[00000030h] 23_2_0164A309
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A309 mov eax, dword ptr fs:[00000030h] 23_2_0164A309
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A309 mov eax, dword ptr fs:[00000030h] 23_2_0164A309
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A309 mov eax, dword ptr fs:[00000030h] 23_2_0164A309
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A309 mov eax, dword ptr fs:[00000030h] 23_2_0164A309
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A309 mov eax, dword ptr fs:[00000030h] 23_2_0164A309
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A309 mov eax, dword ptr fs:[00000030h] 23_2_0164A309
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A309 mov eax, dword ptr fs:[00000030h] 23_2_0164A309
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A309 mov eax, dword ptr fs:[00000030h] 23_2_0164A309
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A309 mov eax, dword ptr fs:[00000030h] 23_2_0164A309
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A309 mov eax, dword ptr fs:[00000030h] 23_2_0164A309
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E131B mov eax, dword ptr fs:[00000030h] 23_2_016E131B
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016503E2 mov eax, dword ptr fs:[00000030h] 23_2_016503E2
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016503E2 mov eax, dword ptr fs:[00000030h] 23_2_016503E2
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016503E2 mov eax, dword ptr fs:[00000030h] 23_2_016503E2
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016503E2 mov eax, dword ptr fs:[00000030h] 23_2_016503E2
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016503E2 mov eax, dword ptr fs:[00000030h] 23_2_016503E2
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016503E2 mov eax, dword ptr fs:[00000030h] 23_2_016503E2
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016D23E3 mov ecx, dword ptr fs:[00000030h] 23_2_016D23E3
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016D23E3 mov ecx, dword ptr fs:[00000030h] 23_2_016D23E3
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016D23E3 mov eax, dword ptr fs:[00000030h] 23_2_016D23E3
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016553C5 mov eax, dword ptr fs:[00000030h] 23_2_016553C5
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A53CA mov eax, dword ptr fs:[00000030h] 23_2_016A53CA
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A53CA mov eax, dword ptr fs:[00000030h] 23_2_016A53CA
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E138A mov eax, dword ptr fs:[00000030h] 23_2_016E138A
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016DD380 mov ecx, dword ptr fs:[00000030h] 23_2_016DD380
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165138B mov eax, dword ptr fs:[00000030h] 23_2_0165138B
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165138B mov eax, dword ptr fs:[00000030h] 23_2_0165138B
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165138B mov eax, dword ptr fs:[00000030h] 23_2_0165138B
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01652397 mov eax, dword ptr fs:[00000030h] 23_2_01652397
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165B390 mov eax, dword ptr fs:[00000030h] 23_2_0165B390
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016DB260 mov eax, dword ptr fs:[00000030h] 23_2_016DB260
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016DB260 mov eax, dword ptr fs:[00000030h] 23_2_016DB260
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0166927A mov eax, dword ptr fs:[00000030h] 23_2_0166927A
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01629240 mov eax, dword ptr fs:[00000030h] 23_2_01629240
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01629240 mov eax, dword ptr fs:[00000030h] 23_2_01629240
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01629240 mov eax, dword ptr fs:[00000030h] 23_2_01629240
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01629240 mov eax, dword ptr fs:[00000030h] 23_2_01629240
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016B4257 mov eax, dword ptr fs:[00000030h] 23_2_016B4257
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E1229 mov eax, dword ptr fs:[00000030h] 23_2_016E1229
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A229 mov eax, dword ptr fs:[00000030h] 23_2_0164A229
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A229 mov eax, dword ptr fs:[00000030h] 23_2_0164A229
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A229 mov eax, dword ptr fs:[00000030h] 23_2_0164A229
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A229 mov eax, dword ptr fs:[00000030h] 23_2_0164A229
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A229 mov eax, dword ptr fs:[00000030h] 23_2_0164A229
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A229 mov eax, dword ptr fs:[00000030h] 23_2_0164A229
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A229 mov eax, dword ptr fs:[00000030h] 23_2_0164A229
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A229 mov eax, dword ptr fs:[00000030h] 23_2_0164A229
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A229 mov eax, dword ptr fs:[00000030h] 23_2_0164A229
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162B233 mov eax, dword ptr fs:[00000030h] 23_2_0162B233
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162B233 mov eax, dword ptr fs:[00000030h] 23_2_0162B233
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164B236 mov eax, dword ptr fs:[00000030h] 23_2_0164B236
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164B236 mov eax, dword ptr fs:[00000030h] 23_2_0164B236
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164B236 mov eax, dword ptr fs:[00000030h] 23_2_0164B236
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164B236 mov eax, dword ptr fs:[00000030h] 23_2_0164B236
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164B236 mov eax, dword ptr fs:[00000030h] 23_2_0164B236
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164B236 mov eax, dword ptr fs:[00000030h] 23_2_0164B236
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01628239 mov eax, dword ptr fs:[00000030h] 23_2_01628239
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01628239 mov eax, dword ptr fs:[00000030h] 23_2_01628239
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01628239 mov eax, dword ptr fs:[00000030h] 23_2_01628239
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01625210 mov eax, dword ptr fs:[00000030h] 23_2_01625210
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01625210 mov ecx, dword ptr fs:[00000030h] 23_2_01625210
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01625210 mov eax, dword ptr fs:[00000030h] 23_2_01625210
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01625210 mov eax, dword ptr fs:[00000030h] 23_2_01625210
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016EB2E8 mov eax, dword ptr fs:[00000030h] 23_2_016EB2E8
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016EB2E8 mov eax, dword ptr fs:[00000030h] 23_2_016EB2E8
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016EB2E8 mov eax, dword ptr fs:[00000030h] 23_2_016EB2E8
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016EB2E8 mov eax, dword ptr fs:[00000030h] 23_2_016EB2E8
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016212D4 mov eax, dword ptr fs:[00000030h] 23_2_016212D4
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016362A0 mov eax, dword ptr fs:[00000030h] 23_2_016362A0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016362A0 mov eax, dword ptr fs:[00000030h] 23_2_016362A0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016362A0 mov eax, dword ptr fs:[00000030h] 23_2_016362A0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016362A0 mov eax, dword ptr fs:[00000030h] 23_2_016362A0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016252A5 mov eax, dword ptr fs:[00000030h] 23_2_016252A5
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016252A5 mov eax, dword ptr fs:[00000030h] 23_2_016252A5
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016252A5 mov eax, dword ptr fs:[00000030h] 23_2_016252A5
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016252A5 mov eax, dword ptr fs:[00000030h] 23_2_016252A5
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016252A5 mov eax, dword ptr fs:[00000030h] 23_2_016252A5
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016512BD mov esi, dword ptr fs:[00000030h] 23_2_016512BD
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016512BD mov eax, dword ptr fs:[00000030h] 23_2_016512BD
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016512BD mov eax, dword ptr fs:[00000030h] 23_2_016512BD
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165D294 mov eax, dword ptr fs:[00000030h] 23_2_0165D294
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165D294 mov eax, dword ptr fs:[00000030h] 23_2_0165D294
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E129A mov eax, dword ptr fs:[00000030h] 23_2_016E129A
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164C577 mov eax, dword ptr fs:[00000030h] 23_2_0164C577
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164C577 mov eax, dword ptr fs:[00000030h] 23_2_0164C577
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162B540 mov eax, dword ptr fs:[00000030h] 23_2_0162B540
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162B540 mov eax, dword ptr fs:[00000030h] 23_2_0162B540
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A3540 mov eax, dword ptr fs:[00000030h] 23_2_016A3540
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162354C mov eax, dword ptr fs:[00000030h] 23_2_0162354C
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162354C mov eax, dword ptr fs:[00000030h] 23_2_0162354C
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165F527 mov eax, dword ptr fs:[00000030h] 23_2_0165F527
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165F527 mov eax, dword ptr fs:[00000030h] 23_2_0165F527
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165F527 mov eax, dword ptr fs:[00000030h] 23_2_0165F527
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016EE539 mov eax, dword ptr fs:[00000030h] 23_2_016EE539
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016AA537 mov eax, dword ptr fs:[00000030h] 23_2_016AA537
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E3518 mov eax, dword ptr fs:[00000030h] 23_2_016E3518
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E3518 mov eax, dword ptr fs:[00000030h] 23_2_016E3518
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E3518 mov eax, dword ptr fs:[00000030h] 23_2_016E3518
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01629515 mov ecx, dword ptr fs:[00000030h] 23_2_01629515
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162751A mov eax, dword ptr fs:[00000030h] 23_2_0162751A
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162751A mov eax, dword ptr fs:[00000030h] 23_2_0162751A
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162751A mov eax, dword ptr fs:[00000030h] 23_2_0162751A
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162751A mov eax, dword ptr fs:[00000030h] 23_2_0162751A
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0163D5E0 mov eax, dword ptr fs:[00000030h] 23_2_0163D5E0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0163D5E0 mov eax, dword ptr fs:[00000030h] 23_2_0163D5E0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016595EC mov eax, dword ptr fs:[00000030h] 23_2_016595EC
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016295F0 mov eax, dword ptr fs:[00000030h] 23_2_016295F0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016295F0 mov ecx, dword ptr fs:[00000030h] 23_2_016295F0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016215C1 mov eax, dword ptr fs:[00000030h] 23_2_016215C1
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016F05AC mov eax, dword ptr fs:[00000030h] 23_2_016F05AC
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016F05AC mov eax, dword ptr fs:[00000030h] 23_2_016F05AC
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016535A1 mov eax, dword ptr fs:[00000030h] 23_2_016535A1
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016565A0 mov eax, dword ptr fs:[00000030h] 23_2_016565A0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016565A0 mov eax, dword ptr fs:[00000030h] 23_2_016565A0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016565A0 mov eax, dword ptr fs:[00000030h] 23_2_016565A0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01652581 mov eax, dword ptr fs:[00000030h] 23_2_01652581
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01652581 mov eax, dword ptr fs:[00000030h] 23_2_01652581
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01652581 mov eax, dword ptr fs:[00000030h] 23_2_01652581
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01652581 mov eax, dword ptr fs:[00000030h] 23_2_01652581
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016EB581 mov eax, dword ptr fs:[00000030h] 23_2_016EB581
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016EB581 mov eax, dword ptr fs:[00000030h] 23_2_016EB581
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016EB581 mov eax, dword ptr fs:[00000030h] 23_2_016EB581
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016EB581 mov eax, dword ptr fs:[00000030h] 23_2_016EB581
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01623591 mov eax, dword ptr fs:[00000030h] 23_2_01623591
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01628466 mov eax, dword ptr fs:[00000030h] 23_2_01628466
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01628466 mov eax, dword ptr fs:[00000030h] 23_2_01628466
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164746D mov eax, dword ptr fs:[00000030h] 23_2_0164746D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164B477 mov eax, dword ptr fs:[00000030h] 23_2_0164B477
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164B477 mov eax, dword ptr fs:[00000030h] 23_2_0164B477
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164B477 mov eax, dword ptr fs:[00000030h] 23_2_0164B477
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164B477 mov eax, dword ptr fs:[00000030h] 23_2_0164B477
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164B477 mov eax, dword ptr fs:[00000030h] 23_2_0164B477
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164B477 mov eax, dword ptr fs:[00000030h] 23_2_0164B477
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164B477 mov eax, dword ptr fs:[00000030h] 23_2_0164B477
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164B477 mov eax, dword ptr fs:[00000030h] 23_2_0164B477
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164B477 mov eax, dword ptr fs:[00000030h] 23_2_0164B477
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164B477 mov eax, dword ptr fs:[00000030h] 23_2_0164B477
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164B477 mov eax, dword ptr fs:[00000030h] 23_2_0164B477
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164B477 mov eax, dword ptr fs:[00000030h] 23_2_0164B477
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165A44B mov eax, dword ptr fs:[00000030h] 23_2_0165A44B
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01629450 mov eax, dword ptr fs:[00000030h] 23_2_01629450
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016BC450 mov eax, dword ptr fs:[00000030h] 23_2_016BC450
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016BC450 mov eax, dword ptr fs:[00000030h] 23_2_016BC450
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016F8450 mov eax, dword ptr fs:[00000030h] 23_2_016F8450
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0163B433 mov eax, dword ptr fs:[00000030h] 23_2_0163B433
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0163B433 mov eax, dword ptr fs:[00000030h] 23_2_0163B433
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0163B433 mov eax, dword ptr fs:[00000030h] 23_2_0163B433
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01642430 mov eax, dword ptr fs:[00000030h] 23_2_01642430
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01642430 mov eax, dword ptr fs:[00000030h] 23_2_01642430
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01624439 mov eax, dword ptr fs:[00000030h] 23_2_01624439
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016F740D mov eax, dword ptr fs:[00000030h] 23_2_016F740D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016F740D mov eax, dword ptr fs:[00000030h] 23_2_016F740D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016F740D mov eax, dword ptr fs:[00000030h] 23_2_016F740D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01628410 mov eax, dword ptr fs:[00000030h] 23_2_01628410
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016584E0 mov eax, dword ptr fs:[00000030h] 23_2_016584E0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016584E0 mov eax, dword ptr fs:[00000030h] 23_2_016584E0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016584E0 mov eax, dword ptr fs:[00000030h] 23_2_016584E0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016584E0 mov eax, dword ptr fs:[00000030h] 23_2_016584E0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016584E0 mov eax, dword ptr fs:[00000030h] 23_2_016584E0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016584E0 mov eax, dword ptr fs:[00000030h] 23_2_016584E0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E14FB mov eax, dword ptr fs:[00000030h] 23_2_016E14FB
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016314A9 mov eax, dword ptr fs:[00000030h] 23_2_016314A9
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016314A9 mov ecx, dword ptr fs:[00000030h] 23_2_016314A9
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016B34A0 mov eax, dword ptr fs:[00000030h] 23_2_016B34A0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016B34A0 mov eax, dword ptr fs:[00000030h] 23_2_016B34A0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016B34A0 mov eax, dword ptr fs:[00000030h] 23_2_016B34A0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016334B1 mov eax, dword ptr fs:[00000030h] 23_2_016334B1
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016334B1 mov eax, dword ptr fs:[00000030h] 23_2_016334B1
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165D4B0 mov eax, dword ptr fs:[00000030h] 23_2_0165D4B0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016B64B5 mov eax, dword ptr fs:[00000030h] 23_2_016B64B5
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016B64B5 mov eax, dword ptr fs:[00000030h] 23_2_016B64B5
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01621480 mov eax, dword ptr fs:[00000030h] 23_2_01621480
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0163849B mov eax, dword ptr fs:[00000030h] 23_2_0163849B
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E4496 mov eax, dword ptr fs:[00000030h] 23_2_016E4496
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E4496 mov eax, dword ptr fs:[00000030h] 23_2_016E4496
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E4496 mov eax, dword ptr fs:[00000030h] 23_2_016E4496
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E4496 mov eax, dword ptr fs:[00000030h] 23_2_016E4496
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E4496 mov eax, dword ptr fs:[00000030h] 23_2_016E4496
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E4496 mov eax, dword ptr fs:[00000030h] 23_2_016E4496
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E4496 mov eax, dword ptr fs:[00000030h] 23_2_016E4496
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E4496 mov eax, dword ptr fs:[00000030h] 23_2_016E4496
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E4496 mov eax, dword ptr fs:[00000030h] 23_2_016E4496
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E4496 mov eax, dword ptr fs:[00000030h] 23_2_016E4496
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E4496 mov eax, dword ptr fs:[00000030h] 23_2_016E4496
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E4496 mov eax, dword ptr fs:[00000030h] 23_2_016E4496
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E4496 mov eax, dword ptr fs:[00000030h] 23_2_016E4496
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162649B mov eax, dword ptr fs:[00000030h] 23_2_0162649B
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162649B mov eax, dword ptr fs:[00000030h] 23_2_0162649B
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01628760 mov eax, dword ptr fs:[00000030h] 23_2_01628760
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01628760 mov eax, dword ptr fs:[00000030h] 23_2_01628760
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01628760 mov eax, dword ptr fs:[00000030h] 23_2_01628760
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01628760 mov ecx, dword ptr fs:[00000030h] 23_2_01628760
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01628760 mov eax, dword ptr fs:[00000030h] 23_2_01628760
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01628760 mov eax, dword ptr fs:[00000030h] 23_2_01628760
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01628760 mov eax, dword ptr fs:[00000030h] 23_2_01628760
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01628760 mov eax, dword ptr fs:[00000030h] 23_2_01628760
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01628760 mov eax, dword ptr fs:[00000030h] 23_2_01628760
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01628760 mov eax, dword ptr fs:[00000030h] 23_2_01628760
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164E760 mov eax, dword ptr fs:[00000030h] 23_2_0164E760
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164E760 mov eax, dword ptr fs:[00000030h] 23_2_0164E760
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162A745 mov eax, dword ptr fs:[00000030h] 23_2_0162A745
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E1751 mov eax, dword ptr fs:[00000030h] 23_2_016E1751
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01626730 mov eax, dword ptr fs:[00000030h] 23_2_01626730
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01626730 mov eax, dword ptr fs:[00000030h] 23_2_01626730
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01626730 mov eax, dword ptr fs:[00000030h] 23_2_01626730
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165E730 mov eax, dword ptr fs:[00000030h] 23_2_0165E730
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164B73D mov eax, dword ptr fs:[00000030h] 23_2_0164B73D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164B73D mov eax, dword ptr fs:[00000030h] 23_2_0164B73D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016F070D mov eax, dword ptr fs:[00000030h] 23_2_016F070D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016F070D mov eax, dword ptr fs:[00000030h] 23_2_016F070D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165C707 mov eax, dword ptr fs:[00000030h] 23_2_0165C707
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165C707 mov ecx, dword ptr fs:[00000030h] 23_2_0165C707
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165C707 mov eax, dword ptr fs:[00000030h] 23_2_0165C707
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165A70E mov eax, dword ptr fs:[00000030h] 23_2_0165A70E
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165A70E mov eax, dword ptr fs:[00000030h] 23_2_0165A70E
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165D715 mov eax, dword ptr fs:[00000030h] 23_2_0165D715
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165D715 mov eax, dword ptr fs:[00000030h] 23_2_0165D715
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164F716 mov eax, dword ptr fs:[00000030h] 23_2_0164F716
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01654710 mov eax, dword ptr fs:[00000030h] 23_2_01654710
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016497ED mov eax, dword ptr fs:[00000030h] 23_2_016497ED
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016497ED mov eax, dword ptr fs:[00000030h] 23_2_016497ED
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016497ED mov eax, dword ptr fs:[00000030h] 23_2_016497ED
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016497ED mov eax, dword ptr fs:[00000030h] 23_2_016497ED
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016497ED mov eax, dword ptr fs:[00000030h] 23_2_016497ED
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016497ED mov eax, dword ptr fs:[00000030h] 23_2_016497ED
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016497ED mov eax, dword ptr fs:[00000030h] 23_2_016497ED
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016537EB mov eax, dword ptr fs:[00000030h] 23_2_016537EB
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016537EB mov eax, dword ptr fs:[00000030h] 23_2_016537EB
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016537EB mov eax, dword ptr fs:[00000030h] 23_2_016537EB
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016537EB mov eax, dword ptr fs:[00000030h] 23_2_016537EB
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016537EB mov eax, dword ptr fs:[00000030h] 23_2_016537EB
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016537EB mov eax, dword ptr fs:[00000030h] 23_2_016537EB
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016537EB mov eax, dword ptr fs:[00000030h] 23_2_016537EB
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016637F5 mov eax, dword ptr fs:[00000030h] 23_2_016637F5
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016F87CF mov eax, dword ptr fs:[00000030h] 23_2_016F87CF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165D7CA mov eax, dword ptr fs:[00000030h] 23_2_0165D7CA
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165D7CA mov eax, dword ptr fs:[00000030h] 23_2_0165D7CA
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E17D2 mov eax, dword ptr fs:[00000030h] 23_2_016E17D2
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016317B5 mov eax, dword ptr fs:[00000030h] 23_2_016317B5
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01638794 mov eax, dword ptr fs:[00000030h] 23_2_01638794
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A7794 mov eax, dword ptr fs:[00000030h] 23_2_016A7794
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A7794 mov eax, dword ptr fs:[00000030h] 23_2_016A7794
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A7794 mov eax, dword ptr fs:[00000030h] 23_2_016A7794
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0163766D mov eax, dword ptr fs:[00000030h] 23_2_0163766D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01644670 mov eax, dword ptr fs:[00000030h] 23_2_01644670
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01644670 mov eax, dword ptr fs:[00000030h] 23_2_01644670
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01644670 mov eax, dword ptr fs:[00000030h] 23_2_01644670
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01644670 mov eax, dword ptr fs:[00000030h] 23_2_01644670
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016DF674 mov eax, dword ptr fs:[00000030h] 23_2_016DF674
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016B6652 mov eax, dword ptr fs:[00000030h] 23_2_016B6652
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162E620 mov eax, dword ptr fs:[00000030h] 23_2_0162E620
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01657620 mov eax, dword ptr fs:[00000030h] 23_2_01657620
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01657620 mov eax, dword ptr fs:[00000030h] 23_2_01657620
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01657620 mov eax, dword ptr fs:[00000030h] 23_2_01657620
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01657620 mov eax, dword ptr fs:[00000030h] 23_2_01657620
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01657620 mov eax, dword ptr fs:[00000030h] 23_2_01657620
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01657620 mov eax, dword ptr fs:[00000030h] 23_2_01657620
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A5623 mov eax, dword ptr fs:[00000030h] 23_2_016A5623
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A5623 mov eax, dword ptr fs:[00000030h] 23_2_016A5623
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A5623 mov eax, dword ptr fs:[00000030h] 23_2_016A5623
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A5623 mov eax, dword ptr fs:[00000030h] 23_2_016A5623
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A5623 mov eax, dword ptr fs:[00000030h] 23_2_016A5623
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A5623 mov eax, dword ptr fs:[00000030h] 23_2_016A5623
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A5623 mov eax, dword ptr fs:[00000030h] 23_2_016A5623
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A5623 mov eax, dword ptr fs:[00000030h] 23_2_016A5623
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A5623 mov eax, dword ptr fs:[00000030h] 23_2_016A5623
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0163B62E mov eax, dword ptr fs:[00000030h] 23_2_0163B62E
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0163B62E mov eax, dword ptr fs:[00000030h] 23_2_0163B62E
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165C63D mov eax, dword ptr fs:[00000030h] 23_2_0165C63D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162A63B mov eax, dword ptr fs:[00000030h] 23_2_0162A63B
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162A63B mov eax, dword ptr fs:[00000030h] 23_2_0162A63B
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162C600 mov eax, dword ptr fs:[00000030h] 23_2_0162C600
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162C600 mov eax, dword ptr fs:[00000030h] 23_2_0162C600
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162C600 mov eax, dword ptr fs:[00000030h] 23_2_0162C600
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01645600 mov eax, dword ptr fs:[00000030h] 23_2_01645600
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01645600 mov eax, dword ptr fs:[00000030h] 23_2_01645600
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01645600 mov eax, dword ptr fs:[00000030h] 23_2_01645600
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01645600 mov eax, dword ptr fs:[00000030h] 23_2_01645600
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01645600 mov ecx, dword ptr fs:[00000030h] 23_2_01645600
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01645600 mov ecx, dword ptr fs:[00000030h] 23_2_01645600
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01645600 mov eax, dword ptr fs:[00000030h] 23_2_01645600
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01645600 mov ecx, dword ptr fs:[00000030h] 23_2_01645600
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01645600 mov ecx, dword ptr fs:[00000030h] 23_2_01645600
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01645600 mov eax, dword ptr fs:[00000030h] 23_2_01645600
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01645600 mov eax, dword ptr fs:[00000030h] 23_2_01645600
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01645600 mov eax, dword ptr fs:[00000030h] 23_2_01645600
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01645600 mov eax, dword ptr fs:[00000030h] 23_2_01645600
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01645600 mov eax, dword ptr fs:[00000030h] 23_2_01645600
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01645600 mov eax, dword ptr fs:[00000030h] 23_2_01645600
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01645600 mov eax, dword ptr fs:[00000030h] 23_2_01645600
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01645600 mov eax, dword ptr fs:[00000030h] 23_2_01645600
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01645600 mov eax, dword ptr fs:[00000030h] 23_2_01645600
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01645600 mov eax, dword ptr fs:[00000030h] 23_2_01645600
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E1608 mov eax, dword ptr fs:[00000030h] 23_2_016E1608
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165A61C mov eax, dword ptr fs:[00000030h] 23_2_0165A61C
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165A61C mov eax, dword ptr fs:[00000030h] 23_2_0165A61C
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0163161A mov eax, dword ptr fs:[00000030h] 23_2_0163161A
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01621618 mov eax, dword ptr fs:[00000030h] 23_2_01621618
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016376E2 mov eax, dword ptr fs:[00000030h] 23_2_016376E2
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016516E0 mov ecx, dword ptr fs:[00000030h] 23_2_016516E0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016506C0 mov eax, dword ptr fs:[00000030h] 23_2_016506C0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016506C0 mov ecx, dword ptr fs:[00000030h] 23_2_016506C0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016506C0 mov eax, dword ptr fs:[00000030h] 23_2_016506C0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016506C0 mov eax, dword ptr fs:[00000030h] 23_2_016506C0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016506C0 mov eax, dword ptr fs:[00000030h] 23_2_016506C0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016506C0 mov eax, dword ptr fs:[00000030h] 23_2_016506C0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016506C0 mov eax, dword ptr fs:[00000030h] 23_2_016506C0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016506C0 mov eax, dword ptr fs:[00000030h] 23_2_016506C0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016506C0 mov eax, dword ptr fs:[00000030h] 23_2_016506C0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016506C0 mov eax, dword ptr fs:[00000030h] 23_2_016506C0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016506C0 mov eax, dword ptr fs:[00000030h] 23_2_016506C0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016506C0 mov eax, dword ptr fs:[00000030h] 23_2_016506C0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016506C0 mov eax, dword ptr fs:[00000030h] 23_2_016506C0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016536CC mov eax, dword ptr fs:[00000030h] 23_2_016536CC
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016286A0 mov eax, dword ptr fs:[00000030h] 23_2_016286A0
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A46A7 mov eax, dword ptr fs:[00000030h] 23_2_016A46A7
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E56B6 mov eax, dword ptr fs:[00000030h] 23_2_016E56B6
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E56B6 mov eax, dword ptr fs:[00000030h] 23_2_016E56B6
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162C962 mov eax, dword ptr fs:[00000030h] 23_2_0162C962
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016F8966 mov eax, dword ptr fs:[00000030h] 23_2_016F8966
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016EE962 mov eax, dword ptr fs:[00000030h] 23_2_016EE962
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164B944 mov eax, dword ptr fs:[00000030h] 23_2_0164B944
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164B944 mov eax, dword ptr fs:[00000030h] 23_2_0164B944
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162395E mov eax, dword ptr fs:[00000030h] 23_2_0162395E
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162395E mov eax, dword ptr fs:[00000030h] 23_2_0162395E
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E1951 mov eax, dword ptr fs:[00000030h] 23_2_016E1951
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01631915 mov eax, dword ptr fs:[00000030h] 23_2_01631915
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01631915 mov eax, dword ptr fs:[00000030h] 23_2_01631915
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016F89E7 mov eax, dword ptr fs:[00000030h] 23_2_016F89E7
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162C9FF mov eax, dword ptr fs:[00000030h] 23_2_0162C9FF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162C9FF mov eax, dword ptr fs:[00000030h] 23_2_0162C9FF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162C9FF mov eax, dword ptr fs:[00000030h] 23_2_0162C9FF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016399C7 mov eax, dword ptr fs:[00000030h] 23_2_016399C7
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016399C7 mov eax, dword ptr fs:[00000030h] 23_2_016399C7
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016399C7 mov eax, dword ptr fs:[00000030h] 23_2_016399C7
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016399C7 mov eax, dword ptr fs:[00000030h] 23_2_016399C7
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E19D8 mov eax, dword ptr fs:[00000030h] 23_2_016E19D8
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E49A4 mov eax, dword ptr fs:[00000030h] 23_2_016E49A4
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E49A4 mov eax, dword ptr fs:[00000030h] 23_2_016E49A4
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E49A4 mov eax, dword ptr fs:[00000030h] 23_2_016E49A4
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E49A4 mov eax, dword ptr fs:[00000030h] 23_2_016E49A4
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A69A6 mov eax, dword ptr fs:[00000030h] 23_2_016A69A6
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016599BC mov eax, dword ptr fs:[00000030h] 23_2_016599BC
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165C9BF mov eax, dword ptr fs:[00000030h] 23_2_0165C9BF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0165C9BF mov eax, dword ptr fs:[00000030h] 23_2_0165C9BF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016499BF mov ecx, dword ptr fs:[00000030h] 23_2_016499BF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016499BF mov ecx, dword ptr fs:[00000030h] 23_2_016499BF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016499BF mov eax, dword ptr fs:[00000030h] 23_2_016499BF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016499BF mov ecx, dword ptr fs:[00000030h] 23_2_016499BF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016499BF mov ecx, dword ptr fs:[00000030h] 23_2_016499BF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016499BF mov eax, dword ptr fs:[00000030h] 23_2_016499BF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016499BF mov ecx, dword ptr fs:[00000030h] 23_2_016499BF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016499BF mov ecx, dword ptr fs:[00000030h] 23_2_016499BF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016499BF mov eax, dword ptr fs:[00000030h] 23_2_016499BF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016499BF mov ecx, dword ptr fs:[00000030h] 23_2_016499BF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016499BF mov ecx, dword ptr fs:[00000030h] 23_2_016499BF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016499BF mov eax, dword ptr fs:[00000030h] 23_2_016499BF
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0162B990 mov eax, dword ptr fs:[00000030h] 23_2_0162B990
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_01652990 mov eax, dword ptr fs:[00000030h] 23_2_01652990
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164F86D mov eax, dword ptr fs:[00000030h] 23_2_0164F86D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016E1843 mov eax, dword ptr fs:[00000030h] 23_2_016E1843
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_016A885D mov eax, dword ptr fs:[00000030h] 23_2_016A885D
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A830 mov eax, dword ptr fs:[00000030h] 23_2_0164A830
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A830 mov eax, dword ptr fs:[00000030h] 23_2_0164A830
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0164A830 mov eax, dword ptr fs:[00000030h] 23_2_0164A830
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049E5FCC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 15_3_049E5FCC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_00401085 GetProcessHeap,RtlAllocateHeap, 15_2_00401085
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_00409AB0 rdtsc 23_2_00409AB0
Enables debug privileges
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Code function: 23_2_0040ACF0 LdrLoadDll, 23_2_0040ACF0
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049E5FCC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 15_3_049E5FCC
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049E723B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_3_049E723B

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Memory allocated: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Memory written: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Memory written: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Memory written: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Memory written: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe base: C2D008 Jump to behavior
Contains functionality to inject threads in other processes
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_004079E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, 15_2_004079E8
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_00411FD8 RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread, 15_2_00411FD8
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe 15_2_004120B8
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process created: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process created: C:\Users\user\AppData\Roaming\nFb.hufJF.exe 'C:\Users\user\AppData\Roaming\nFb.hufJF.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Process created: C:\Users\user\AppData\Roaming\ccwm.axjK.exe 'C:\Users\user\AppData\Roaming\ccwm.axjK.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Process created: C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe C:\Users\user\AppData\Local\Temp\nFb.hufJF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_0040F56D AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid, 15_2_0040F56D
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_004118BA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError, 15_2_004118BA
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe, 0000000F.00000002.539418319.00000000019A0000.00000002.00020000.sdmp, ccwm.axjK.exe, 00000018.00000002.538902572.0000000000FE0000.00000002.00020000.sdmp, explorer.exe, 00000019.00000002.544443052.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000019.00000000.530947780.0000000000B68000.00000004.00000020.sdmp Binary or memory string: Progman\Pr
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe, 0000000F.00000002.539418319.00000000019A0000.00000002.00020000.sdmp, ccwm.axjK.exe, 00000018.00000002.538902572.0000000000FE0000.00000002.00020000.sdmp, explorer.exe, 00000019.00000002.544443052.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe, 0000000F.00000002.539418319.00000000019A0000.00000002.00020000.sdmp, ccwm.axjK.exe, 00000018.00000002.538902572.0000000000FE0000.00000002.00020000.sdmp, explorer.exe, 00000019.00000002.544443052.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: TW_PURCHASE ORDER _BENTEX LTD_26201.exe, 0000000F.00000002.539418319.00000000019A0000.00000002.00020000.sdmp, ccwm.axjK.exe, 00000018.00000002.538902572.0000000000FE0000.00000002.00020000.sdmp, explorer.exe, 00000019.00000002.544443052.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000019.00000002.550268337.0000000008778000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndh

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Queries volume information: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Queries volume information: C:\Users\user\AppData\Roaming\nFb.hufJF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\nFb.hufJF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ccwm.axjK.exe Queries volume information: C:\Users\user\AppData\Roaming\ccwm.axjK.exe VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_2_0040F93F cpuid 15_2_0040F93F
Source: C:\Users\user\Desktop\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049897E0 GetSystemTime,GetCurrentProcessId,GetTickCount,QueryPerformanceCounter, 15_3_049897E0
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049E73C6 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 15_3_049E73C6
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049894E0 GetVersionExW,MultiByteToWideChar,MultiByteToWideChar,_malloc,MultiByteToWideChar,_free,GetVersionExW,GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free, 15_3_049894E0

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Increases the number of concurrent connection per server for Internet Explorer
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10 Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 23.0.nFb.hufJF.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.nFb.hufJF.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.nFb.hufJF.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.nFb.hufJF.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.nFb.hufJF.exe.400000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.nFb.hufJF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.nFb.hufJF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.529455325.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.527560355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.529709529.0000000003F2A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.529773639.0000000003FC5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.555372397.0000000001090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.527936150.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.554984724.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Yara detected AveMaria stealer
Source: Yara match File source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.10d5a90.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3765d30.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.28851bc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3802950.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.288394c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1103178.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000003.385998454.00000000010D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.385786430.00000000010FB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.385968820.00000000010FB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.381359899.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.537453432.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.378951117.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.381739789.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.384356114.0000000003860000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.379672641.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.380967954.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.383728117.000000000277D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.386044956.000000000110E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.384010558.0000000002801000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.384156725.0000000003711000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.380363268.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.385813766.00000000010D9000.00000004.00000001.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Contains functionality to steal e-mail passwords
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: POP3 Password 15_2_0040A29A
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: SMTP Password 15_2_0040A29A
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: IMAP Password 15_2_0040A29A
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: \Google\Chrome\User Data\Default\Login Data 15_2_0040C1B2
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: \Chromium\User Data\Default\Login Data 15_2_0040C1B2
Yara detected Credential Stealer
Source: Yara match File source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.10d5a90.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3765d30.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.28851bc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3802950.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.288394c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1103178.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000003.385998454.00000000010D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.385786430.00000000010FB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.385968820.00000000010FB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.381359899.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.537453432.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.378951117.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.381739789.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.384356114.0000000003860000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.379672641.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.380967954.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.383728117.000000000277D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.386044956.000000000110E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.384010558.0000000002801000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.384156725.0000000003711000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.380363268.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.385813766.00000000010D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TW_PURCHASE ORDER _BENTEX LTD_26201.exe PID: 7128, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TW_PURCHASE ORDER _BENTEX LTD_26201.exe PID: 3132, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 23.0.nFb.hufJF.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.nFb.hufJF.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.nFb.hufJF.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.nFb.hufJF.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.nFb.hufJF.exe.400000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.nFb.hufJF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.nFb.hufJF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.529455325.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.527560355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.529709529.0000000003F2A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.529773639.0000000003FC5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.555372397.0000000001090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.527936150.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.554984724.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Yara detected AveMaria stealer
Source: Yara match File source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.10d5a90.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3765d30.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.28851bc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3802950.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.3838000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.288394c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.TW_PURCHASE ORDER _BENTEX LTD_26201.exe.1103178.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000003.385998454.00000000010D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.385786430.00000000010FB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.385968820.00000000010FB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.381359899.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.537453432.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.378951117.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.381739789.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.384356114.0000000003860000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.379672641.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.380967954.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.383728117.000000000277D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.386044956.000000000110E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.384010558.0000000002801000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.384156725.0000000003711000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.380363268.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.385813766.00000000010D9000.00000004.00000001.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049A4CC0 sqlite3_bind_null, 15_3_049A4CC0
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049A4CF0 sqlite3_bind_text, 15_3_049A4CF0
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049A4C20 sqlite3_bind_int, 15_3_049A4C20
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049A4C40 sqlite3_bind_int64, 15_3_049A4C40
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049A4D20 sqlite3_bind_text16, 15_3_049A4D20
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049A4D50 sqlite3_bind_value, 15_3_049A4D50
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049A4EE0 sqlite3_bind_zeroblob, 15_3_049A4EE0
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049A4FF0 sqlite3_bind_parameter_name, 15_3_049A4FF0
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049A4F70 sqlite3_bind_parameter_count, 15_3_049A4F70
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049A50E0 sqlite3_bind_parameter_index, 15_3_049A50E0
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049A3030 sqlite3_clear_bindings,_memset, 15_3_049A3030
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049A52D0 sqlite3_transfer_bindings, 15_3_049A52D0
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049A4B90 sqlite3_bind_blob, 15_3_049A4B90
Source: C:\Users\user\AppData\Local\Temp\TW_PURCHASE ORDER _BENTEX LTD_26201.exe Code function: 15_3_049A4BC0 sqlite3_bind_double, 15_3_049A4BC0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 510728 Sample: TW_PURCHASE ORDER _BENTEX L... Startdate: 28/10/2021 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for dropped file 2->50 52 16 other signatures 2->52 9 TW_PURCHASE ORDER _BENTEX LTD_26201.exe 5 2->9         started        process3 file4 30 TW_PURCHASE ORDER _BENTEX LTD_26201.exe, PE32 9->30 dropped 32 TW_PURCHASE ORDER ...exe:Zone.Identifier, ASCII 9->32 dropped 34 TW_PURCHASE ORDER ...X LTD_26201.exe.log, ASCII 9->34 dropped 12 TW_PURCHASE ORDER _BENTEX LTD_26201.exe 3 20 9->12         started        process5 dnsIp6 42 papi1.ddns.net 185.140.53.15, 10190, 49784 DAVID_CRAIGGG Sweden 12->42 44 cdn.discordapp.com 162.159.133.233, 443, 49785 CLOUDFLARENETUS United States 12->44 36 C:\Users\user\AppData\Roaming\nFb.hufJF.exe, PE32 12->36 dropped 38 C:\Users\user\AppData\Roaming\ccwm.axjK.exe, PE32 12->38 dropped 40 C:\Users\user\AppData\...\ConsoleApp4[1].exe, PE32 12->40 dropped 70 Tries to harvest and steal browser information (history, passwords, etc) 12->70 72 Increases the number of concurrent connection per server for Internet Explorer 12->72 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->74 17 nFb.hufJF.exe 2 12->17         started        21 ccwm.axjK.exe 12->21         started        file7 signatures8 process9 file10 28 C:\Users\user\AppData\Local\...\nFb.hufJF.exe, PE32 17->28 dropped 54 Antivirus detection for dropped file 17->54 56 Multi AV Scanner detection for dropped file 17->56 58 Machine Learning detection for dropped file 17->58 60 3 other signatures 17->60 23 nFb.hufJF.exe 17->23         started        signatures11 process12 signatures13 62 Antivirus detection for dropped file 23->62 64 Multi AV Scanner detection for dropped file 23->64 66 Machine Learning detection for dropped file 23->66 68 2 other signatures 23->68 26 explorer.exe 23->26 injected process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.140.53.15
 papi1.ddns.net Sweden
209623 DAVID_CRAIGGG true
162.159.133.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
cdn.discordapp.com 162.159.133.233 true
papi1.ddns.net 185.140.53.15 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.christophebigot.com/pp1a/ true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 low
papi1.ddns.net true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://cdn.discordapp.com/attachments/889839642097119317/902580421521473556/ConsoleApp4.exe false
    		high