Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report S9yf6BkjhTQUbHE.exe

Overview

General Information

Sample Name:S9yf6BkjhTQUbHE.exe
Analysis ID:528622
MD5:812861ad5cbb91bfa01a6a15c2cef128
SHA1:ca092e52319047d609cb6fcca1821a8f873416df
SHA256:a649d216b55b0f0597a16690b8469b6b44b9cdc73560d8237387b2df225ab20b
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • S9yf6BkjhTQUbHE.exe (PID: 6344 cmdline: "C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe" MD5: 812861AD5CBB91BFA01A6A15C2CEF128)
    • S9yf6BkjhTQUbHE.exe (PID: 6408 cmdline: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe MD5: 812861AD5CBB91BFA01A6A15C2CEF128)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autoconv.exe (PID: 6488 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
        • msdt.exe (PID: 6472 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 6572 cmdline: /c del "C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.peptidepowder.com/czh8/"], "decoy": ["ekkyo-business.com", "anamentor.com", "criptodigital.online", "smart-device.tech", "piano-tomimoto.com", "sergiojuradomunera.com", "xn----pl8a630b0whm6t.com", "exploitslozdz.xyz", "peregorodki.store", "authenticationtd.net", "ichelbrousset.com", "amboyshops.com", "hengtaigyl.com", "iliubo.com", "overtimersanonymous.com", "crimsonrangellc.com", "otterburnelanding.com", "ping-ken.info", "belezaweb.digital", "elementkultury.com", "heireply.xyz", "membranbakar.xyz", "babygirlletsheal.com", "alpe.paris", "fuslonnd.com", "massaora.com", "geatarotista.com", "namethatsetup.com", "igdxir.com", "tokatyapimarket.com", "soundnox.com", "ase3baeb4p.com", "uniteddatavault.com", "savageequipment.biz", "cutos2.com", "thietketrangtrinhacua.store", "mways-vintage.com", "cloudscapephotos.com", "padelscuolaroma.store", "medeiros.store", "green-umbrella.academy", "kobaran.com", "ilmkibahar.com", "blueworldaquariums.com", "bigjohnblues.com", "e2adriasec.online", "pufaawareskincare.com", "sumerchemicals.com", "epubgame.net", "nuditecouverte.com", "tbpadvogados.website", "cryptoentering.com", "dahliahearing.com", "annellata.xyz", "barberking.online", "cpw882.com", "dock-weiler.com", "dianyuwang.com", "fitpromax.xyz", "deckingtoronto.com", "boundlessentgroup.com", "metricwombat.com", "emergencyhomerepairnetwork.com", "fullerhomeloans.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x16b18:$sqlite3text: 68 38 2A 90 C5
    • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 34 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
        • 0x16b18:$sqlite3text: 68 38 2A 90 C5
        • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
        1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 18 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3472, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 6472

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.peptidepowder.com/czh8/"], "decoy": ["ekkyo-business.com", "anamentor.com", "criptodigital.online", "smart-device.tech", "piano-tomimoto.com", "sergiojuradomunera.com", "xn----pl8a630b0whm6t.com", "exploitslozdz.xyz", "peregorodki.store", "authenticationtd.net", "ichelbrousset.com", "amboyshops.com", "hengtaigyl.com", "iliubo.com", "overtimersanonymous.com", "crimsonrangellc.com", "otterburnelanding.com", "ping-ken.info", "belezaweb.digital", "elementkultury.com", "heireply.xyz", "membranbakar.xyz", "babygirlletsheal.com", "alpe.paris", "fuslonnd.com", "massaora.com", "geatarotista.com", "namethatsetup.com", "igdxir.com", "tokatyapimarket.com", "soundnox.com", "ase3baeb4p.com", "uniteddatavault.com", "savageequipment.biz", "cutos2.com", "thietketrangtrinhacua.store", "mways-vintage.com", "cloudscapephotos.com", "padelscuolaroma.store", "medeiros.store", "green-umbrella.academy", "kobaran.com", "ilmkibahar.com", "blueworldaquariums.com", "bigjohnblues.com", "e2adriasec.online", "pufaawareskincare.com", "sumerchemicals.com", "epubgame.net", "nuditecouverte.com", "tbpadvogados.website", "cryptoentering.com", "dahliahearing.com", "annellata.xyz", "barberking.online", "cpw882.com", "dock-weiler.com", "dianyuwang.com", "fitpromax.xyz", "deckingtoronto.com", "boundlessentgroup.com", "metricwombat.com", "emergencyhomerepairnetwork.com", "fullerhomeloans.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: S9yf6BkjhTQUbHE.exeReversingLabs: Detection: 22%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORY
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: S9yf6BkjhTQUbHE.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: S9yf6BkjhTQUbHE.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.316216528.00000000013C0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.315540875.00000000011AF000.00000040.00000001.sdmp, S9yf6BkjhTQUbHE.exe, 00000001.00000002.315139597.0000000001090000.00000040.00000001.sdmp, msdt.exe, 00000012.00000002.520823591.0000000004D9F000.00000040.00000001.sdmp, msdt.exe, 00000012.00000002.520500167.0000000004C80000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: S9yf6BkjhTQUbHE.exe, S9yf6BkjhTQUbHE.exe, 00000001.00000002.315540875.00000000011AF000.00000040.00000001.sdmp, S9yf6BkjhTQUbHE.exe, 00000001.00000002.315139597.0000000001090000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 00000012.00000002.520823591.0000000004D9F000.00000040.00000001.sdmp, msdt.exe, 00000012.00000002.520500167.0000000004C80000.00000040.00000001.sdmp
          Source: Binary string: msdt.pdb source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.316216528.00000000013C0000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49827 -> 34.117.168.233:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49827 -> 34.117.168.233:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49827 -> 34.117.168.233:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49837 -> 198.54.117.218:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49837 -> 198.54.117.218:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49837 -> 198.54.117.218:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.xn----pl8a630b0whm6t.com
          Source: C:\Windows\explorer.exeDomain query: www.epubgame.net
          Source: C:\Windows\explorer.exeNetwork Connect: 23.106.123.249 80
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.178.31 80
          Source: C:\Windows\explorer.exeDomain query: www.anamentor.com
          Source: C:\Windows\explorer.exeDomain query: www.fuslonnd.com
          Source: C:\Windows\explorer.exeDomain query: www.annellata.xyz
          Source: C:\Windows\explorer.exeDomain query: www.metricwombat.com
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.annellata.xyz
          Source: DNS query: www.exploitslozdz.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.peptidepowder.com/czh8/
          Source: Joe Sandbox ViewASN Name: LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /czh8/?7n=IRLjoLIXlWieDd548KoJS/rowvlX7n5q7mSRLwbc7H8jLvnjYG+pwFiMTHdBlEYfNNBf&t4b=Zn-L HTTP/1.1Host: www.anamentor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.106.123.249 23.106.123.249
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.254291450.000000000304A000.00000004.00000001.sdmp, S9yf6BkjhTQUbHE.exe, 00000000.00000002.254094379.0000000002F81000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: msdt.exe, 00000012.00000002.519445044.000000000315F000.00000004.00000020.sdmpString found in binary or memory: http://www.xn----pl8a630b0whm6t.com/czh8/?7n=WfBFmY7eHt5QBShHhdd2jwwFQU0Qfs4ciJop7u3ZFFtbwI7iz04mk8i
          Source: msdt.exe, 00000012.00000002.521258705.0000000005332000.00000004.00020000.sdmpString found in binary or memory: https://www.anamentor.com/czh8/?7n=IRLjoLIXlWieDd548KoJS/rowvlX7n5q7mSRLwbc7H8jLvnjYG
          Source: unknownDNS traffic detected: queries for: www.epubgame.net
          Source: global trafficHTTP traffic detected: GET /czh8/?7n=IRLjoLIXlWieDd548KoJS/rowvlX7n5q7mSRLwbc7H8jLvnjYG+pwFiMTHdBlEYfNNBf&t4b=Zn-L HTTP/1.1Host: www.anamentor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.253365121.00000000011E9000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: S9yf6BkjhTQUbHE.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 0_2_05525AB0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 0_2_05525AA0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0041BA22
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0041C42D
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_00408C8D
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_00408C90
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_00402D87
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0041CFB4
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010BF900
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01182D07
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B0D20
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010D4120
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01181D55
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E2581
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_011825DD
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010CD5E0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C841F
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01171002
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0117D466
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010CB090
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E20A0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_011820A8
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_011828EC
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01182B28
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010EEBB0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0117DBD2
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01181FF1
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010D6E30
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_011822AE
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01182EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D6D466
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D725DD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CBD5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD2581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D71D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D72D07
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA0D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D72EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D6D616
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CC6E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D7DFCE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D71FF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D728EC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CBB090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD20A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D720A8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D61002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D7E824
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CCA830
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CAF900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CC4120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D722AE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D5FA2B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D6DBD2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D603DA
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CDEBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CCAB40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D72B28
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008EBA22
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008D8C8D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008D8C90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008EC41E
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008D2D87
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008D2D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008ECFB4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008D2FB0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: String function: 010BB150 appears 35 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 04CAB150 appears 54 times
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_004185F0 NtCreateFile,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_004186A0 NtReadFile,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_00418720 NtClose,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_004187D0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0041869A NtReadFile,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_004187CA NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010FAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9560 NtWriteFile,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010FB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010FA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010FA770 NtOpenThread,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010FA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F96D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CEAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CEA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CEA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CEB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CEA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008E85F0 NtCreateFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008E86A0 NtReadFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008E87D0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008E8720 NtClose,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008E869A NtReadFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008E87CA NtAllocateVirtualMemory,
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.253365121.00000000011E9000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs S9yf6BkjhTQUbHE.exe
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.257531563.00000000061E0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs S9yf6BkjhTQUbHE.exe
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs S9yf6BkjhTQUbHE.exe
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.257392561.0000000005CB0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs S9yf6BkjhTQUbHE.exe
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000000.241151855.0000000000AF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameInAttribu.exe. vs S9yf6BkjhTQUbHE.exe
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.254291450.000000000304A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs S9yf6BkjhTQUbHE.exe
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.254094379.0000000002F81000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs S9yf6BkjhTQUbHE.exe
          Source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.316216528.00000000013C0000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs S9yf6BkjhTQUbHE.exe
          Source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.315540875.00000000011AF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs S9yf6BkjhTQUbHE.exe
          Source: S9yf6BkjhTQUbHE.exe, 00000001.00000000.248672814.00000000004C0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameInAttribu.exe. vs S9yf6BkjhTQUbHE.exe
          Source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.316078938.000000000133F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs S9yf6BkjhTQUbHE.exe
          Source: S9yf6BkjhTQUbHE.exeBinary or memory string: OriginalFilenameInAttribu.exe. vs S9yf6BkjhTQUbHE.exe
          Source: S9yf6BkjhTQUbHE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: S9yf6BkjhTQUbHE.exeReversingLabs: Detection: 22%
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeFile read: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe:Zone.IdentifierJump to behavior
          Source: S9yf6BkjhTQUbHE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe "C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe"
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess created: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess created: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe"
          Source: C:\Windows\SysWOW64\msdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\S9yf6BkjhTQUbHE.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/1@13/2
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_01
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
          Source: S9yf6BkjhTQUbHE.exeString found in binary or memory: /InAttribu;component/views/addbook.xaml
          Source: S9yf6BkjhTQUbHE.exeString found in binary or memory: views/addbook.baml
          Source: S9yf6BkjhTQUbHE.exeString found in binary or memory: views/addcustomer.baml
          Source: S9yf6BkjhTQUbHE.exeString found in binary or memory: /InAttribu;component/views/addcustomer.xaml
          Source: S9yf6BkjhTQUbHE.exeString found in binary or memory: /InAttribu;component/views/addbook.xaml
          Source: S9yf6BkjhTQUbHE.exeString found in binary or memory: views/addcustomer.baml
          Source: S9yf6BkjhTQUbHE.exeString found in binary or memory: views/addbook.baml
          Source: S9yf6BkjhTQUbHE.exeString found in binary or memory: /InAttribu;component/views/addcustomer.xaml
          Source: S9yf6BkjhTQUbHE.exeString found in binary or memory: O/InAttribu;component/views/addbook.xamle/InAttribu;component/views/borrowfrombookview.xaml[/InAttribu;component/views/borrowingview.xamlU/InAttribu;component/views/changebook.xaml]/InAttribu;component/views/changecustomer.xamlY/InAttribu;component/views/customerview.xaml]/InAttribu;component/views/deletecustomer.xamlS/InAttribu;component/views/errorview.xamlW/InAttribu;component/views/smallextras.xamlW/InAttribu;component/views/addcustomer.xaml
          Source: S9yf6BkjhTQUbHE.exeString found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: S9yf6BkjhTQUbHE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: S9yf6BkjhTQUbHE.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.316216528.00000000013C0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.315540875.00000000011AF000.00000040.00000001.sdmp, S9yf6BkjhTQUbHE.exe, 00000001.00000002.315139597.0000000001090000.00000040.00000001.sdmp, msdt.exe, 00000012.00000002.520823591.0000000004D9F000.00000040.00000001.sdmp, msdt.exe, 00000012.00000002.520500167.0000000004C80000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: S9yf6BkjhTQUbHE.exe, S9yf6BkjhTQUbHE.exe, 00000001.00000002.315540875.00000000011AF000.00000040.00000001.sdmp, S9yf6BkjhTQUbHE.exe, 00000001.00000002.315139597.0000000001090000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 00000012.00000002.520823591.0000000004D9F000.00000040.00000001.sdmp, msdt.exe, 00000012.00000002.520500167.0000000004C80000.00000040.00000001.sdmp
          Source: Binary string: msdt.pdb source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.316216528.00000000013C0000.00000040.00020000.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: S9yf6BkjhTQUbHE.exe, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.S9yf6BkjhTQUbHE.exe.a80000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.S9yf6BkjhTQUbHE.exe.a80000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.S9yf6BkjhTQUbHE.exe.450000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.S9yf6BkjhTQUbHE.exe.450000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.S9yf6BkjhTQUbHE.exe.450000.7.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.S9yf6BkjhTQUbHE.exe.450000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.S9yf6BkjhTQUbHE.exe.450000.2.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.S9yf6BkjhTQUbHE.exe.450000.5.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.S9yf6BkjhTQUbHE.exe.450000.3.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.S9yf6BkjhTQUbHE.exe.450000.9.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 0_2_00A86F9A push 00000018h; retf
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 0_2_00A892F5 push ds; ret
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 0_2_00A89361 push ds; retf
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 0_2_00A89347 push ds; ret
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 0_2_055256E0 push esp; iretd
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0041B832 push eax; ret
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0041B83B push eax; ret
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0041B89C push eax; ret
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0041533E push esp; ret
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0041B7E5 push eax; ret
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_004592F5 push ds; ret
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_00459347 push ds; ret
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_00459361 push ds; retf
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_00456F9A push 00000018h; retf
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0110D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CFD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008EB89C push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008EB83B push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008EB832 push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008E533E push esp; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008EB7E5 push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85954100497

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: /c del "C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe"
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: /c del "C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe"
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.S9yf6BkjhTQUbHE.exe.2fe8e70.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.S9yf6BkjhTQUbHE.exe.307aecc.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.254291450.000000000304A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254094379.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: S9yf6BkjhTQUbHE.exe PID: 6344, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.254291450.000000000304A000.00000004.00000001.sdmp, S9yf6BkjhTQUbHE.exe, 00000000.00000002.254094379.0000000002F81000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.254291450.000000000304A000.00000004.00000001.sdmp, S9yf6BkjhTQUbHE.exe, 00000000.00000002.254094379.0000000002F81000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeRDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeRDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 00000000008D8614 second address: 00000000008D861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 00000000008D89AE second address: 00000000008D89B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388Thread sleep time: -3689348814741908s >= -30000s
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388Thread sleep time: -240000s >= -30000s
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388Thread sleep time: -239859s >= -30000s
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6392Thread sleep count: 1268 > 30
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6392Thread sleep count: 928 > 30
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388Thread sleep time: -239732s >= -30000s
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6348Thread sleep time: -30583s >= -30000s
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388Thread sleep time: -239623s >= -30000s
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388Thread sleep time: -239512s >= -30000s
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388Thread sleep time: -239405s >= -30000s
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388Thread sleep time: -239281s >= -30000s
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388Thread sleep time: -239170s >= -30000s
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388Thread sleep time: -239046s >= -30000s
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388Thread sleep time: -238903s >= -30000s
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388Thread sleep time: -238765s >= -30000s
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388Thread sleep time: -238656s >= -30000s
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388Thread sleep time: -238531s >= -30000s
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388Thread sleep time: -238421s >= -30000s
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388Thread sleep time: -238311s >= -30000s
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388Thread sleep time: -238203s >= -30000s
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388Thread sleep time: -237906s >= -30000s
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388Thread sleep time: -237312s >= -30000s
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388Thread sleep time: -237109s >= -30000s
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388Thread sleep time: -236546s >= -30000s
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388Thread sleep time: -236435s >= -30000s
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6376Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 7104Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_004088E0 rdtsc
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 240000
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 239859
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 239732
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 239623
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 239512
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 239405
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 239281
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 239170
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 239046
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 238903
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 238765
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 238656
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 238531
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 238421
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 238311
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 238203
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 237906
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 237312
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 237109
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 236546
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 236435
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeWindow / User API: threadDelayed 1268
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeWindow / User API: threadDelayed 928
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 240000
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 239859
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 239732
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 30583
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 239623
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 239512
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 239405
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 239281
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 239170
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 239046
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 238903
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 238765
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 238656
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 238531
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 238421
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 238311
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 238203
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 237906
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 237312
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 237109
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 236546
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 236435
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread delayed: delay time: 922337203685477
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.254094379.0000000002F81000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000004.00000000.265082760.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.254094379.0000000002F81000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000004.00000000.274001743.00000000011B3000.00000004.00000020.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.296079980.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.254094379.0000000002F81000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: msdt.exe, 00000012.00000002.519572932.000000000318D000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW1mYI
          Source: msdt.exe, 00000012.00000002.519548832.0000000003182000.00000004.00000020.sdmp, msdt.exe, 00000012.00000002.519325977.000000000313F000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000004.00000000.254354478.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000004.00000000.265145193.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000004.00000000.257571644.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000004.00000000.265145193.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.254094379.0000000002F81000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_004088E0 rdtsc
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0113A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01188D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010D4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0117E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010BAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010DB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010DB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01133540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010D7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010BC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010BB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010BB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010DC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010DC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010EA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010DC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010EFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010EFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_011351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_011351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_011351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_011351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_011805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_011805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_011369A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01136DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01136DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01136DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01136DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01136DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01136DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01168DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010BB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010BB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010BB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010CD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010CD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0117FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0117FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0117FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0117FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_011441E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01137016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01137016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01137016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01184015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01184015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0118740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0118740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0118740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01136C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01136C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01136C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01136C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010EBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0114C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0114C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010EA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010D0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010D0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010D746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01172073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01181074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01133884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01133884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010EF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010EF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010EF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0114B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0114B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0114B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0114B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0114B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0114B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01188CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01136CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01136CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01136CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_011714FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010EA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010EA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0114FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0114FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0117131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0118070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0118070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010DF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010EE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01188B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010BDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010CEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010BF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010BDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010CFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01188F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01137794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01137794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01137794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0116D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0117138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010EB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01185BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_011353CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_011353CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010DDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010BC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010BC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010BC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010D3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010EA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010EA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010BAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010BAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01171608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0116FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010BE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0117EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01144257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0117AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0117AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0116B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0116B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01188A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0114FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010ED294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010ED294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_011346A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010CAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010CAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01180EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01180EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01180EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010EFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01188ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0116FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D78CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D26CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D26CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D26CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D614FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D3C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D3C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CDA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CC746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D7740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D7740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D7740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CDBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D26DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D58DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CBD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CBD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D6FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D6FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D6FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D6FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CDFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CDFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D705AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D705AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D23540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D53D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CC7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CCC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CCC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D78D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D2A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D6E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CAAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D78ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D5FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D3FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D70EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D70EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D70EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D246A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D6AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D6AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CCAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CCAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CCAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CCAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CCAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CAC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CAC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CAC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CDA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CDA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D61608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D5FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CAE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D27794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D27794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D27794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CBEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CBFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D78F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D3FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D3FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CDA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CDA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D7070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D7070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CCF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CDE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D3B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D23884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D23884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CDF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CDF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CDF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CC0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CC0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D71074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D62073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D74015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D74015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D27016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D27016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D27016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CBB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CBB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CBB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CBB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CCA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CCA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CCA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CCA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CAB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CAB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CAB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D341E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CDA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CCC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D649A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D649A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D649A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D649A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D269A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CCB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CCB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CAC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CAB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CAB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CC4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CC4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CC4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CC4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CC4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CDD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CDD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CBAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CBAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CDFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D6EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D34257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_00409B50 LdrLoadDll,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.xn----pl8a630b0whm6t.com
          Source: C:\Windows\explorer.exeDomain query: www.epubgame.net
          Source: C:\Windows\explorer.exeNetwork Connect: 23.106.123.249 80
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.178.31 80
          Source: C:\Windows\explorer.exeDomain query: www.anamentor.com
          Source: C:\Windows\explorer.exeDomain query: www.fuslonnd.com
          Source: C:\Windows\explorer.exeDomain query: www.annellata.xyz
          Source: C:\Windows\explorer.exeDomain query: www.metricwombat.com
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeSection unmapped: C:\Windows\SysWOW64\msdt.exe base address: 9F0000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: unknown protection: read write
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeThread register set: target process: 3472
          Source: C:\Windows\SysWOW64\msdt.exeThread register set: target process: 3472
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess created: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe"
          Source: explorer.exe, 00000004.00000000.254553864.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.280099499.0000000005EA0000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.265196730.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.303201524.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.274165242.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.294467030.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.284970506.00000000089FF000.00000004.00000001.sdmp, msdt.exe, 00000012.00000002.519708075.0000000003530000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.254553864.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.274165242.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.294467030.0000000001640000.00000002.00020000.sdmp, msdt.exe, 00000012.00000002.519708075.0000000003530000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.254553864.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.274165242.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.294467030.0000000001640000.00000002.00020000.sdmp, msdt.exe, 00000012.00000002.519708075.0000000003530000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000004.00000000.294037457.0000000001128000.00000004.00000020.sdmp, explorer.exe, 00000004.00000000.273892369.0000000001128000.00000004.00000020.sdmp, explorer.exe, 00000004.00000000.254192826.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000004.00000000.254553864.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.274165242.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.294467030.0000000001640000.00000002.00020000.sdmp, msdt.exe, 00000012.00000002.519708075.0000000003530000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000004.00000000.254553864.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.274165242.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.294467030.0000000001640000.00000002.00020000.sdmp, msdt.exe, 00000012.00000002.519708075.0000000003530000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeQueries volume information: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe VolumeInformation
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection512Masquerading1Input Capture1Security Software Discovery221Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528622 Sample: S9yf6BkjhTQUbHE.exe Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 34 www.peregorodki.store 2->34 36 www.fullerhomeloans.com 2->36 38 8 other IPs or domains 2->38 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 7 other signatures 2->54 11 S9yf6BkjhTQUbHE.exe 3 2->11         started        signatures3 process4 file5 32 C:\Users\user\...\S9yf6BkjhTQUbHE.exe.log, ASCII 11->32 dropped 68 Tries to detect virtualization through RDTSC time measurements 11->68 15 S9yf6BkjhTQUbHE.exe 11->15         started        signatures6 process7 signatures8 70 Modifies the context of a thread in another process (thread injection) 15->70 72 Maps a DLL or memory area into another process 15->72 74 Sample uses process hollowing technique 15->74 76 Queues an APC in another process (thread injection) 15->76 18 explorer.exe 15->18 injected process9 dnsIp10 40 www.xn----pl8a630b0whm6t.com 23.106.123.249, 80 LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG Singapore 18->40 42 www.anamentor.com 172.67.178.31, 49825, 80 CLOUDFLARENETUS United States 18->42 44 4 other IPs or domains 18->44 56 System process connects to network (likely due to code injection or exploit) 18->56 58 Performs DNS queries to domains with low reputation 18->58 22 msdt.exe 12 18->22         started        26 autoconv.exe 18->26         started        signatures11 process12 dnsIp13 46 www.xn----pl8a630b0whm6t.com 22->46 60 Self deletion via cmd delete 22->60 62 Modifies the context of a thread in another process (thread injection) 22->62 64 Maps a DLL or memory area into another process 22->64 66 Tries to detect virtualization through RDTSC time measurements 22->66 28 cmd.exe 1 22->28         started        signatures14 process15 process16 30 conhost.exe 28->30         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          S9yf6BkjhTQUbHE.exe22%ReversingLabsWin32.Trojan.AgentTesla

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.xn----pl8a630b0whm6t.com/czh8/?7n=WfBFmY7eHt5QBShHhdd2jwwFQU0Qfs4ciJop7u3ZFFtbwI7iz04mk8i0%Avira URL Cloudsafe
          http://www.anamentor.com/czh8/?7n=IRLjoLIXlWieDd548KoJS/rowvlX7n5q7mSRLwbc7H8jLvnjYG+pwFiMTHdBlEYfNNBf&t4b=Zn-L0%Avira URL Cloudsafe
          www.peptidepowder.com/czh8/0%Avira URL Cloudsafe
          https://www.anamentor.com/czh8/?7n=IRLjoLIXlWieDd548KoJS/rowvlX7n5q7mSRLwbc7H8jLvnjYG0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.xn----pl8a630b0whm6t.com
          		23.106.123.249
          		truetrue
            		unknown
            td-ccm-168-233.wixdns.net
            		34.117.168.233
            		truetrue
              		unknown
              cryptoentering.com
              		127.0.0.1
              		truetrue
                		unknown
                parkingpage.namecheap.com
                		198.54.117.218
                		truefalse
                  		high
                  www.ichelbrousset.com
                  		209.17.116.163
                  		truefalse
                    		unknown
                    www.anamentor.com
                    		172.67.178.31
                    		truetrue
                      		unknown
                      www.fuslonnd.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.dock-weiler.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.peregorodki.store
                          		unknown
                          		unknowntrue
                            		unknown
                            www.annellata.xyz
                            		unknown
                            		unknowntrue
                              		unknown
                              www.metricwombat.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.fullerhomeloans.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.epubgame.net
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.exploitslozdz.xyz
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.cryptoentering.com
                                      		unknown
                                      		unknowntrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        http://www.anamentor.com/czh8/?7n=IRLjoLIXlWieDd548KoJS/rowvlX7n5q7mSRLwbc7H8jLvnjYG+pwFiMTHdBlEYfNNBf&t4b=Zn-Ltrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        www.peptidepowder.com/czh8/true
                                        • Avira URL Cloud: safe
                                        		low

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        http://www.xn----pl8a630b0whm6t.com/czh8/?7n=WfBFmY7eHt5QBShHhdd2jwwFQU0Qfs4ciJop7u3ZFFtbwI7iz04mk8imsdt.exe, 00000012.00000002.519445044.000000000315F000.00000004.00000020.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameS9yf6BkjhTQUbHE.exe, 00000000.00000002.254291450.000000000304A000.00000004.00000001.sdmp, S9yf6BkjhTQUbHE.exe, 00000000.00000002.254094379.0000000002F81000.00000004.00000001.sdmpfalse
                                          		high
                                          https://www.anamentor.com/czh8/?7n=IRLjoLIXlWieDd548KoJS/rowvlX7n5q7mSRLwbc7H8jLvnjYGmsdt.exe, 00000012.00000002.521258705.0000000005332000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          23.106.123.249
                                          		www.xn----pl8a630b0whm6t.comSingapore
                                          		59253LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSGtrue
                                          172.67.178.31
                                          		www.anamentor.comUnited States
                                          		13335CLOUDFLARENETUStrue

                                          General Information

                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                          Analysis ID:528622
                                          Start date:25.11.2021
                                          Start time:15:11:30
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 11m 15s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:S9yf6BkjhTQUbHE.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:29
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:1
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@8/1@13/2
                                          EGA Information:Failed
                                          HDC Information:
                                          • Successful, ratio: 17.5% (good quality ratio 15.5%)
                                          • Quality average: 72.4%
                                          • Quality standard deviation: 32.4%
                                          HCA Information:
                                          • Successful, ratio: 98%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, HxTsr.exe, WerFault.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                          • Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.54.110.249
                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/528622/sample/S9yf6BkjhTQUbHE.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          15:12:29API Interceptor22x Sleep call for process: S9yf6BkjhTQUbHE.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          23.106.123.249gJvdHdeawX.exeGet hashmaliciousBrowse
                                            SecuriteInfo.com.Trojan.GenericKDZ.74048.21519.exeGet hashmaliciousBrowse
                                              SecuriteInfo.com.Ransom.Stop.P6.19307.exeGet hashmaliciousBrowse
                                                SecuriteInfo.com.W32.AIDetect.malware1.7393.exeGet hashmaliciousBrowse
                                                  SecuriteInfo.com.W32.AIDetect.malware1.2200.exeGet hashmaliciousBrowse
                                                    SecuriteInfo.com.W32.AIDetect.malware2.22585.exeGet hashmaliciousBrowse
                                                      ZcCHi8mKVk.exeGet hashmaliciousBrowse
                                                        172.67.178.3140rsuPoRyW.exeGet hashmaliciousBrowse
                                                        • www.anamentor.com/shjn/?sbWx=tv0gbh/Fir1M81j+EOOET4kbqB9H6LwHpkw5oua6kbgwj0sH1g9v33R+7+13J6QYFzuS&e0=s8Vty2Ip
                                                        DHL_DELIVERY_ADDRESS_CONFIRMATION.xlsxGet hashmaliciousBrowse
                                                        • www.anamentor.com/shjn/?lL=tv0gbh/Ais1I8lvyGOOET4kbqB9H6LwHpkop0tG7g7gxjFABywsjhzp84Y5xCLETQValQA==&NRX4i6=BxoHnNf8mX1

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        td-ccm-168-233.wixdns.netORDER K0-9110.exeGet hashmaliciousBrowse
                                                        • 34.117.168.233
                                                        vbc.exeGet hashmaliciousBrowse
                                                        • 34.117.168.233
                                                        DHL express 5809439160_pdf.exeGet hashmaliciousBrowse
                                                        • 34.117.168.233
                                                        Revised Shipping Documents 385099_pdf.exeGet hashmaliciousBrowse
                                                        • 34.117.168.233
                                                        vGULtWc6Jh.exeGet hashmaliciousBrowse
                                                        • 34.117.168.233
                                                        rfq.exeGet hashmaliciousBrowse
                                                        • 34.117.168.233
                                                        DHL50458006SHP.exeGet hashmaliciousBrowse
                                                        • 34.117.168.233
                                                        New order 7nbm471.exeGet hashmaliciousBrowse
                                                        • 34.117.168.233
                                                        Swift Copy MT103.exeGet hashmaliciousBrowse
                                                        • 34.117.168.233
                                                        triage_dropped_file.exeGet hashmaliciousBrowse
                                                        • 34.117.168.233
                                                        DHL_Delivery_Confirmation.exeGet hashmaliciousBrowse
                                                        • 34.117.168.233
                                                        Swift Payment Copy.exeGet hashmaliciousBrowse
                                                        • 34.117.168.233
                                                        SWIFT Transfer 103 000000999315.xlsxGet hashmaliciousBrowse
                                                        • 34.117.168.233
                                                        Order 0091.exeGet hashmaliciousBrowse
                                                        • 34.117.168.233
                                                        EwrGOFT5pd.exeGet hashmaliciousBrowse
                                                        • 34.117.168.233
                                                        UT6Bihk8wY.exeGet hashmaliciousBrowse
                                                        • 34.117.168.233
                                                        parkingpage.namecheap.comJUSTIFICANTE.exeGet hashmaliciousBrowse
                                                        • 198.54.117.216
                                                        Swift Copy TT.docGet hashmaliciousBrowse
                                                        • 198.54.117.212
                                                        8M5ZqXSa28.exeGet hashmaliciousBrowse
                                                        • 198.54.117.218
                                                        XKLyPH8fil.exeGet hashmaliciousBrowse
                                                        • 198.54.117.218
                                                        eFSFIMudyc.exeGet hashmaliciousBrowse
                                                        • 198.54.117.217
                                                        MT103_RECEIPT241121.xlsxGet hashmaliciousBrowse
                                                        • 198.54.117.216
                                                        Quote Request - Linde Tunisia.xlsxGet hashmaliciousBrowse
                                                        • 198.54.117.211
                                                        vbc.exeGet hashmaliciousBrowse
                                                        • 198.54.117.218
                                                        VSL_MV HANNOR.exeGet hashmaliciousBrowse
                                                        • 198.54.117.217
                                                        oIDAuDVIqp.exeGet hashmaliciousBrowse
                                                        • 198.54.117.212
                                                        wYW5AsM930.exeGet hashmaliciousBrowse
                                                        • 198.54.117.216
                                                        DHL express 5809439160_pdf.exeGet hashmaliciousBrowse
                                                        • 198.54.117.217
                                                        HG0uDx2zkt.exeGet hashmaliciousBrowse
                                                        • 198.54.117.211
                                                        NxYNG6zxNe.exeGet hashmaliciousBrowse
                                                        • 198.54.117.212
                                                        97Pl742Uow.exeGet hashmaliciousBrowse
                                                        • 198.54.117.217
                                                        aD1yIqGIQS.exeGet hashmaliciousBrowse
                                                        • 198.54.117.217
                                                        Purchase Order 2890.exeGet hashmaliciousBrowse
                                                        • 198.54.117.218
                                                        50% TT advance copy.docGet hashmaliciousBrowse
                                                        • 198.54.117.215
                                                        Drawing-FS3589_Surra-Unprice BOQ - Lock file - 28.1.2021.xlsx 788K.docGet hashmaliciousBrowse
                                                        • 198.54.117.215
                                                        5F38FE3232085EC3BCF1411036241F6F23E587641B4E9.exeGet hashmaliciousBrowse
                                                        • 198.54.117.212

                                                        ASN

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSGHXSFwEhM8mGet hashmaliciousBrowse
                                                        • 209.58.183.52
                                                        TRANFER SLIP.exeGet hashmaliciousBrowse
                                                        • 209.58.177.241
                                                        t0oNRqzxIc.exeGet hashmaliciousBrowse
                                                        • 198.252.110.227
                                                        Whg8jgqeOs.exeGet hashmaliciousBrowse
                                                        • 198.252.110.227
                                                        q2NdLgh8pk.exeGet hashmaliciousBrowse
                                                        • 198.252.110.227
                                                        SecuriteInfo.com.Variant.Babar.29261.28155.exeGet hashmaliciousBrowse
                                                        • 198.252.110.227
                                                        BrIL7GBTq6.exeGet hashmaliciousBrowse
                                                        • 198.252.110.227
                                                        vd6dk7Pd2i.exeGet hashmaliciousBrowse
                                                        • 198.252.110.227
                                                        Yob73TQCPI.exeGet hashmaliciousBrowse
                                                        • 198.252.110.227
                                                        htP4fuQKSM.exeGet hashmaliciousBrowse
                                                        • 198.252.110.227
                                                        DCF4ECC6D3B70A3E11077862B9E3830806191F0718EEC.exeGet hashmaliciousBrowse
                                                        • 198.252.110.227
                                                        R F Q 2000051165.exeGet hashmaliciousBrowse
                                                        • 209.58.177.241
                                                        R F Q 2000051165.exeGet hashmaliciousBrowse
                                                        • 209.58.177.241
                                                        R F Q 2000051165.exeGet hashmaliciousBrowse
                                                        • 209.58.177.241
                                                        65TYFXU6E9 BANK DATAILS.exeGet hashmaliciousBrowse
                                                        • 209.58.177.241
                                                        TRANSFER SLIP.exeGet hashmaliciousBrowse
                                                        • 209.58.177.241
                                                        TRANSFER SLIP.exeGet hashmaliciousBrowse
                                                        • 209.58.177.241
                                                        TRANSFER SLIP.exeGet hashmaliciousBrowse
                                                        • 209.58.177.241
                                                        TRANSFER SLIP.exeGet hashmaliciousBrowse
                                                        • 209.58.177.241
                                                        JKgYJ56rZsGet hashmaliciousBrowse
                                                        • 172.96.190.95
                                                        CLOUDFLARENETUSHalbank Ekstre 2021101 073653 270424.exeGet hashmaliciousBrowse
                                                        • 172.67.188.154
                                                        yH8giB6jJ2.exeGet hashmaliciousBrowse
                                                        • 162.159.135.233
                                                        pwY5ozOzpYGet hashmaliciousBrowse
                                                        • 172.64.209.6
                                                        Zr26f1rL6r.exeGet hashmaliciousBrowse
                                                        • 104.21.76.223
                                                        VXsVZBllD099876.exeGet hashmaliciousBrowse
                                                        • 172.67.206.244
                                                        OPKyR75fJn.exeGet hashmaliciousBrowse
                                                        • 104.21.50.241
                                                        COMPROBANTE DE CONSIGNACION #0000012992-882383393293293.vbsGet hashmaliciousBrowse
                                                        • 172.67.68.88
                                                        DOC20212411003001001.exeGet hashmaliciousBrowse
                                                        • 104.21.19.200
                                                        V-M RTAmpcapital5EG1-TGQO2F-IOC8.htmGet hashmaliciousBrowse
                                                        • 104.16.19.94
                                                        AO7gki3UTr.exeGet hashmaliciousBrowse
                                                        • 162.159.129.233
                                                        6docs'pdf.ppamGet hashmaliciousBrowse
                                                        • 104.16.202.237
                                                        Product Inquiry.exeGet hashmaliciousBrowse
                                                        • 66.235.200.147
                                                        JUSTIFICANTE.exeGet hashmaliciousBrowse
                                                        • 104.21.29.122
                                                        Purchase Order.exeGet hashmaliciousBrowse
                                                        • 162.159.133.233
                                                        Swift Copy TT.docGet hashmaliciousBrowse
                                                        • 23.227.38.74
                                                        sfhJLQhj84.exeGet hashmaliciousBrowse
                                                        • 104.23.98.190
                                                        TOH09847465353.COM.exeGet hashmaliciousBrowse
                                                        • 104.21.49.41
                                                        ESP095744532.BAT.exeGet hashmaliciousBrowse
                                                        • 104.21.79.226
                                                        New PO.exeGet hashmaliciousBrowse
                                                        • 172.67.188.154
                                                        lQzTg5PyVw.exeGet hashmaliciousBrowse
                                                        • 104.21.19.200

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\S9yf6BkjhTQUbHE.exe.log
                                                        Process:C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):2239
                                                        Entropy (8bit):5.354287817410997
                                                        Encrypted:false
                                                        SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIW7HKjntHoxHhAHKzvr1qHXHK2HKgmHKovjHKs:iqXeqm00YqhQnouRqjntIxHeqzTw3q2W
                                                        MD5:913D1EEA179415C6D08FB255AE42B99D
                                                        SHA1:E994C612C0596994AAE55FBCE35B7A4FBE312FD7
                                                        SHA-256:473B4000084ACF4C7D701CE72EBF71BD304054231B3BDF7CAF49898A1FDA13D0
                                                        SHA-512:768045C288CEEE8FE1A099FC8CEA713B685F6ED3FD8BFA1C8E64CA09F7AF9FEBEA90F5277B28444AFF8F2AC7CD857DFCDF7D3A98CD86288925DB7A4A42346185
                                                        Malicious:true
                                                        Reputation:moderate, very likely benign file
                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):7.847097424496743
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        • DOS Executable Generic (2002/1) 0.01%
                                                        File name:S9yf6BkjhTQUbHE.exe
                                                        File size:446976
                                                        MD5:812861ad5cbb91bfa01a6a15c2cef128
                                                        SHA1:ca092e52319047d609cb6fcca1821a8f873416df
                                                        SHA256:a649d216b55b0f0597a16690b8469b6b44b9cdc73560d8237387b2df225ab20b
                                                        SHA512:67f95b15cf249be43324f73de874fc5ca2f2b1d7255c1bb99b6d103b8d9c7414ebbf3ce1bdf7bb9df225c020d79836985c89fa687049892fa6323c535579e05d
                                                        SSDEEP:12288:iDW+U0QixBFmqI9AY9aVrwRn+BbxGmG5tquMAQ52RJeHEO:iDvU0Qi1hIhaVASx85tquMAQ52HdO
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...QM.a..............0.............v.... ........@.. .......................@............@................................

                                                        File Icon

                                                        Icon Hash:00828e8e8686b000

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x46e776
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                        Time Stamp:0x619F4D51 [Thu Nov 25 08:46:09 2021 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:v4.0.30319
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [ebp+0800000Eh], ch
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x6e7240x4f.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x700000x5c4.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x720000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000x6c78c0x6c800False0.884828629032data7.85954100497IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                        .rsrc0x700000x5c40x600False0.4296875data4.13698409708IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x720000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountry
                                                        RT_VERSION0x700900x334data
                                                        RT_MANIFEST0x703d40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Version Infos

                                                        DescriptionData
                                                        Translation0x0000 0x04b0
                                                        LegalCopyrightCopyright Rogers Peet
                                                        Assembly Version8.0.6.0
                                                        InternalNameInAttribu.exe
                                                        FileVersion5.6.0.0
                                                        CompanyNameRogers Peet
                                                        LegalTrademarks
                                                        Comments
                                                        ProductNameBiblan
                                                        ProductVersion5.6.0.0
                                                        FileDescriptionBiblan
                                                        OriginalFilenameInAttribu.exe

                                                        Network Behavior

                                                        Snort IDS Alerts

                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                        11/25/21-15:14:49.156551TCP2031453ET TROJAN FormBook CnC Checkin (GET)4982780192.168.2.534.117.168.233
                                                        11/25/21-15:14:49.156551TCP2031449ET TROJAN FormBook CnC Checkin (GET)4982780192.168.2.534.117.168.233
                                                        11/25/21-15:14:49.156551TCP2031412ET TROJAN FormBook CnC Checkin (GET)4982780192.168.2.534.117.168.233
                                                        11/25/21-15:15:02.896670TCP2031453ET TROJAN FormBook CnC Checkin (GET)4983780192.168.2.5198.54.117.218
                                                        11/25/21-15:15:02.896670TCP2031449ET TROJAN FormBook CnC Checkin (GET)4983780192.168.2.5198.54.117.218
                                                        11/25/21-15:15:02.896670TCP2031412ET TROJAN FormBook CnC Checkin (GET)4983780192.168.2.5198.54.117.218

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Nov 25, 2021 15:14:01.519339085 CET4981880192.168.2.523.106.123.249
                                                        Nov 25, 2021 15:14:04.525531054 CET4981880192.168.2.523.106.123.249
                                                        Nov 25, 2021 15:14:10.526567936 CET4981880192.168.2.523.106.123.249
                                                        Nov 25, 2021 15:14:25.683936119 CET4982480192.168.2.523.106.123.249
                                                        Nov 25, 2021 15:14:27.669626951 CET4982580192.168.2.5172.67.178.31
                                                        Nov 25, 2021 15:14:27.703460932 CET8049825172.67.178.31192.168.2.5
                                                        Nov 25, 2021 15:14:27.703563929 CET4982580192.168.2.5172.67.178.31
                                                        Nov 25, 2021 15:14:27.703845978 CET4982580192.168.2.5172.67.178.31
                                                        Nov 25, 2021 15:14:27.733259916 CET8049825172.67.178.31192.168.2.5
                                                        Nov 25, 2021 15:14:27.778224945 CET8049825172.67.178.31192.168.2.5
                                                        Nov 25, 2021 15:14:27.778455019 CET8049825172.67.178.31192.168.2.5
                                                        Nov 25, 2021 15:14:27.778503895 CET4982580192.168.2.5172.67.178.31
                                                        Nov 25, 2021 15:14:27.778527975 CET4982580192.168.2.5172.67.178.31
                                                        Nov 25, 2021 15:14:27.807986975 CET8049825172.67.178.31192.168.2.5
                                                        Nov 25, 2021 15:14:28.699433088 CET4982480192.168.2.523.106.123.249
                                                        Nov 25, 2021 15:14:34.700012922 CET4982480192.168.2.523.106.123.249

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Nov 25, 2021 15:13:46.186501980 CET5501653192.168.2.58.8.8.8
                                                        Nov 25, 2021 15:13:46.241841078 CET53550168.8.8.8192.168.2.5
                                                        Nov 25, 2021 15:13:51.264303923 CET5712853192.168.2.58.8.8.8
                                                        Nov 25, 2021 15:13:51.343818903 CET53571288.8.8.8192.168.2.5
                                                        Nov 25, 2021 15:13:56.359602928 CET5479153192.168.2.58.8.8.8
                                                        Nov 25, 2021 15:13:56.414275885 CET53547918.8.8.8192.168.2.5
                                                        Nov 25, 2021 15:14:01.449800968 CET5039453192.168.2.58.8.8.8
                                                        Nov 25, 2021 15:14:01.513969898 CET53503948.8.8.8192.168.2.5
                                                        Nov 25, 2021 15:14:25.505644083 CET5381353192.168.2.58.8.8.8
                                                        Nov 25, 2021 15:14:25.582798958 CET53538138.8.8.8192.168.2.5
                                                        Nov 25, 2021 15:14:27.600068092 CET6373253192.168.2.58.8.8.8
                                                        Nov 25, 2021 15:14:27.668248892 CET53637328.8.8.8192.168.2.5
                                                        Nov 25, 2021 15:14:32.799489021 CET5734453192.168.2.58.8.8.8
                                                        Nov 25, 2021 15:14:32.882380962 CET53573448.8.8.8192.168.2.5
                                                        Nov 25, 2021 15:14:37.889867067 CET5445053192.168.2.58.8.8.8
                                                        Nov 25, 2021 15:14:37.956604958 CET53544508.8.8.8192.168.2.5
                                                        Nov 25, 2021 15:14:43.999562979 CET5926153192.168.2.58.8.8.8
                                                        Nov 25, 2021 15:14:44.050005913 CET53592618.8.8.8192.168.2.5
                                                        Nov 25, 2021 15:14:49.062454939 CET5715153192.168.2.58.8.8.8
                                                        Nov 25, 2021 15:14:49.133816957 CET53571518.8.8.8192.168.2.5
                                                        Nov 25, 2021 15:14:54.248440027 CET5643253192.168.2.58.8.8.8
                                                        Nov 25, 2021 15:14:54.410651922 CET53564328.8.8.8192.168.2.5
                                                        Nov 25, 2021 15:15:02.666291952 CET6237253192.168.2.58.8.8.8
                                                        Nov 25, 2021 15:15:02.729429960 CET53623728.8.8.8192.168.2.5
                                                        Nov 25, 2021 15:15:08.072524071 CET6151553192.168.2.58.8.8.8
                                                        Nov 25, 2021 15:15:08.158160925 CET53615158.8.8.8192.168.2.5

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                        Nov 25, 2021 15:13:46.186501980 CET192.168.2.58.8.8.80x5f4fStandard query (0)www.epubgame.netA (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:13:51.264303923 CET192.168.2.58.8.8.80xabacStandard query (0)www.fuslonnd.comA (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:13:56.359602928 CET192.168.2.58.8.8.80xd8e9Standard query (0)www.annellata.xyzA (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:14:01.449800968 CET192.168.2.58.8.8.80xaf65Standard query (0)www.xn----pl8a630b0whm6t.comA (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:14:25.505644083 CET192.168.2.58.8.8.80xfd5fStandard query (0)www.xn----pl8a630b0whm6t.comA (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:14:27.600068092 CET192.168.2.58.8.8.80x7843Standard query (0)www.anamentor.comA (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:14:32.799489021 CET192.168.2.58.8.8.80x9ebdStandard query (0)www.metricwombat.comA (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:14:37.889867067 CET192.168.2.58.8.8.80xc5e9Standard query (0)www.cryptoentering.comA (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:14:43.999562979 CET192.168.2.58.8.8.80x63f6Standard query (0)www.dock-weiler.comA (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:14:49.062454939 CET192.168.2.58.8.8.80xb316Standard query (0)www.peregorodki.storeA (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:14:54.248440027 CET192.168.2.58.8.8.80xc76eStandard query (0)www.ichelbrousset.comA (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:15:02.666291952 CET192.168.2.58.8.8.80x6e0fStandard query (0)www.exploitslozdz.xyzA (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:15:08.072524071 CET192.168.2.58.8.8.80x5d8aStandard query (0)www.fullerhomeloans.comA (IP address)IN (0x0001)

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                        Nov 25, 2021 15:13:46.241841078 CET8.8.8.8192.168.2.50x5f4fName error (3)www.epubgame.netnonenoneA (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:13:51.343818903 CET8.8.8.8192.168.2.50xabacName error (3)www.fuslonnd.comnonenoneA (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:13:56.414275885 CET8.8.8.8192.168.2.50xd8e9Name error (3)www.annellata.xyznonenoneA (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:14:01.513969898 CET8.8.8.8192.168.2.50xaf65No error (0)www.xn----pl8a630b0whm6t.com23.106.123.249A (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:14:25.582798958 CET8.8.8.8192.168.2.50xfd5fNo error (0)www.xn----pl8a630b0whm6t.com23.106.123.249A (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:14:27.668248892 CET8.8.8.8192.168.2.50x7843No error (0)www.anamentor.com172.67.178.31A (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:14:27.668248892 CET8.8.8.8192.168.2.50x7843No error (0)www.anamentor.com104.21.51.95A (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:14:32.882380962 CET8.8.8.8192.168.2.50x9ebdName error (3)www.metricwombat.comnonenoneA (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:14:37.956604958 CET8.8.8.8192.168.2.50xc5e9No error (0)www.cryptoentering.comcryptoentering.comCNAME (Canonical name)IN (0x0001)
                                                        Nov 25, 2021 15:14:37.956604958 CET8.8.8.8192.168.2.50xc5e9No error (0)cryptoentering.com127.0.0.1A (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:14:44.050005913 CET8.8.8.8192.168.2.50x63f6Name error (3)www.dock-weiler.comnonenoneA (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:14:49.133816957 CET8.8.8.8192.168.2.50xb316No error (0)www.peregorodki.storegcdn0.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                        Nov 25, 2021 15:14:49.133816957 CET8.8.8.8192.168.2.50xb316No error (0)gcdn0.wixdns.nettd-ccm-168-233.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                        Nov 25, 2021 15:14:49.133816957 CET8.8.8.8192.168.2.50xb316No error (0)td-ccm-168-233.wixdns.net34.117.168.233A (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:14:54.410651922 CET8.8.8.8192.168.2.50xc76eNo error (0)www.ichelbrousset.com209.17.116.163A (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:15:02.729429960 CET8.8.8.8192.168.2.50x6e0fNo error (0)www.exploitslozdz.xyzparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                                        Nov 25, 2021 15:15:02.729429960 CET8.8.8.8192.168.2.50x6e0fNo error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:15:02.729429960 CET8.8.8.8192.168.2.50x6e0fNo error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:15:02.729429960 CET8.8.8.8192.168.2.50x6e0fNo error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:15:02.729429960 CET8.8.8.8192.168.2.50x6e0fNo error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:15:02.729429960 CET8.8.8.8192.168.2.50x6e0fNo error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:15:02.729429960 CET8.8.8.8192.168.2.50x6e0fNo error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:15:02.729429960 CET8.8.8.8192.168.2.50x6e0fNo error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                                        Nov 25, 2021 15:15:08.158160925 CET8.8.8.8192.168.2.50x5d8aName error (3)www.fullerhomeloans.comnonenoneA (IP address)IN (0x0001)

                                                        HTTP Request Dependency Graph

                                                        • www.anamentor.com

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        0192.168.2.549825172.67.178.3180C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Nov 25, 2021 15:14:27.703845978 CET11243OUTGET /czh8/?7n=IRLjoLIXlWieDd548KoJS/rowvlX7n5q7mSRLwbc7H8jLvnjYG+pwFiMTHdBlEYfNNBf&t4b=Zn-L HTTP/1.1
                                                        Host: www.anamentor.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Nov 25, 2021 15:14:27.778224945 CET11244INHTTP/1.1 301 Moved Permanently
                                                        Date: Thu, 25 Nov 2021 14:14:27 GMT
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Cache-Control: max-age=3600
                                                        Expires: Thu, 25 Nov 2021 15:14:27 GMT
                                                        Location: https://www.anamentor.com/czh8/?7n=IRLjoLIXlWieDd548KoJS/rowvlX7n5q7mSRLwbc7H8jLvnjYG+pwFiMTHdBlEYfNNBf&t4b=Zn-L
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=RzIWNo2qqeDFO2t1MpA%2FOdaqEXCSt3i%2FGZmLkcZpm6f76Mci07Yzcq5ZRvSRwDOez1hTdzS4aWfPMe8ywl3LNUDv%2B4Z%2Fh5hPMNAVAwFYiHWORPRPU5x6BxLWPT9j1tYPoJT5TQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        X-Content-Type-Options: nosniff
                                                        Server: cloudflare
                                                        CF-RAY: 6b3b7bc73b736b36-AMS
                                                        alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Code Manipulations

                                                        Statistics

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        Analysis Process: S9yf6BkjhTQUbHE.exe PID: 6344 Parent PID: 1928

                                                        General

                                                        Start time:15:12:27
                                                        Start date:25/11/2021
                                                        Path:C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe"
                                                        Imagebase:0xa80000
                                                        File size:446976 bytes
                                                        MD5 hash:812861AD5CBB91BFA01A6A15C2CEF128
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.254291450.000000000304A000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.254094379.0000000002F81000.00000004.00000001.sdmp, Author: Joe Security
                                                        Reputation:low

                                                        Analysis Process: S9yf6BkjhTQUbHE.exe PID: 6408 Parent PID: 6344

                                                        General

                                                        Start time:15:12:30
                                                        Start date:25/11/2021
                                                        Path:C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe
                                                        Imagebase:0x450000
                                                        File size:446976 bytes
                                                        MD5 hash:812861AD5CBB91BFA01A6A15C2CEF128
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:low

                                                        Analysis Process: explorer.exe PID: 3472 Parent PID: 6408

                                                        General

                                                        Start time:15:12:33
                                                        Start date:25/11/2021
                                                        Path:C:\Windows\explorer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\Explorer.EXE
                                                        Imagebase:0x7ff693d90000
                                                        File size:3933184 bytes
                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:high

                                                        Analysis Process: autoconv.exe PID: 6488 Parent PID: 3472

                                                        General

                                                        Start time:15:12:58
                                                        Start date:25/11/2021
                                                        Path:C:\Windows\SysWOW64\autoconv.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\SysWOW64\autoconv.exe
                                                        Imagebase:0x1080000
                                                        File size:851968 bytes
                                                        MD5 hash:4506BE56787EDCD771A351C10B5AE3B7
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        Analysis Process: msdt.exe PID: 6472 Parent PID: 3472

                                                        General

                                                        Start time:15:12:58
                                                        Start date:25/11/2021
                                                        Path:C:\Windows\SysWOW64\msdt.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\SysWOW64\msdt.exe
                                                        Imagebase:0x9f0000
                                                        File size:1508352 bytes
                                                        MD5 hash:7F0C51DBA69B9DE5DDF6AA04CE3A69F4
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:moderate

                                                        Analysis Process: cmd.exe PID: 6572 Parent PID: 6472

                                                        General

                                                        Start time:15:13:02
                                                        Start date:25/11/2021
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:/c del "C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe"
                                                        Imagebase:0x150000
                                                        File size:232960 bytes
                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: conhost.exe PID: 6368 Parent PID: 6572

                                                        General

                                                        Start time:15:13:04
                                                        Start date:25/11/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7ecfc0000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Disassembly

                                                        Code Analysis

                                                        Reset < >