Windows Analysis Report
mWyPrcv7Pl

Overview

General Information

Sample Name: mWyPrcv7Pl (renamed file extension from none to exe)
Analysis ID: 679238
MD5: 557232ed6bcc3043cba02aedcbc96891
SHA1: bd739f8686a3a535b9d2faee8990c77f0de06884
SHA256: f28fc7b2cb76f0a714ef1e43b37ec0f5aa6c497d25d7de4379e8e0b91913d1c0
Tags: exe
Infos:

Detection

DBatLoader, FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected DBatLoader
Multi AV Scanner detection for dropped file
Yara detected UAC Bypass using ComputerDefaults
Writes to foreign memory regions
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Checks if the current process is being debugged
Yara detected Keylogger Generic
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: mWyPrcv7Pl.exe Metadefender: Detection: 45% Perma Link
Source: mWyPrcv7Pl.exe ReversingLabs: Detection: 76%
Yara detected FormBook
Source: Yara match File source: 00000005.00000000.389338625.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.475401299.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.474297388.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.388219824.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.475449028.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.474331045.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.453262213.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.450674781.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.448442366.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.473577775.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.503688702.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.394645483.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.449569944.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.394525004.0000000005513000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.447559623.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.388844509.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.473551202.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.502458592.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.395850704.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.436669123.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.503717649.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.519512838.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.472847590.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.502333065.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.389772957.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.519477027.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.463823429.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.472811054.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Libraries\Tdceco.exe Metadefender: Detection: 45% Perma Link
Source: C:\Users\Public\Libraries\Tdceco.exe ReversingLabs: Detection: 76%
Antivirus or Machine Learning detection for unpacked file
Source: 9.3.Tdceco.exe.4fad408.47.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb2ac4.105.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f17a78.44.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fac400.50.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4faaf30.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb83f0.57.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f10008.10.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4faaa20.33.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fae064.74.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fa8474.15.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4faaa20.32.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb25e0.27.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f0fb48.37.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb6a50.8.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb6a50.7.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f1a48c.17.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fa4640.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f0f7c8.33.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f176bc.36.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fac01c.10.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fab5ec.38.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f154f0.24.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb56b8.34.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f176bc.34.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f0fc1c.49.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f17a78.42.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f17b3c.48.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f0fb68.43.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb2c20.118.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb403c.122.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.mWyPrcv7Pl.exe.3c544fc.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f0fb74.47.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fab5ec.39.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fae9fc.88.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f0e894.22.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb2438.108.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f10008.9.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb4008.12.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fae508.71.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fa9530.25.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb8d70.65.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fc4430.113.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f17c10.51.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb1e38.11.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4a58308.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fc4428.110.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fc51e0.63.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fac42c.55.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f0fb48.38.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb0008.94.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f0fb68.41.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb93a4.48.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fac008.43.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4a588b8.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fc412c.106.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4a598f8.3.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f17a5c.39.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f16c58.20.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fc51e0.62.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb2118.18.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f117cc.5.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fae280.78.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f0d318.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fc5a5c.30.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb032c.6.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb6790.41.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fc3108.92.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f10008.26.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fc3108.91.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fa92d0.17.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb6790.40.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb2ac4.104.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb7c54.44.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb2118.20.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f1003c.53.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fc412c.107.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fa92ec.21.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fa6204.9.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f1748c.28.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb4008.16.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fa92d0.19.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f0df00.13.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fac8e4.58.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.2.Tdceco.exe.3cb4530.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fac8f4.66.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fac400.51.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f141bc.14.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fc4428.111.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fa5950.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.mWyPrcv7Pl.exe.5050000.4.unpack Avira: Label: TR/Hijacker.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f162c4.12.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fadd90.68.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fac008.42.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb83a8.52.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fa8474.14.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fad408.46.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fa9530.23.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb83f0.56.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f154f0.25.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fbdb0c.90.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb13e0.98.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f117cc.6.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb4008.13.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb56b8.35.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb83a8.53.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fac8f4.64.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb13e0.97.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f17b3c.46.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f0d640.8.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f0d640.7.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Tdceco.exe.4f441bc.3.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Tdceco.exe.4f441bc.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb2438.109.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fae508.70.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f17a5c.40.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fa92ec.22.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fa50a4.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fc5a5c.28.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fae280.77.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fac42c.54.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fbdb0c.89.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb2454.112.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fc4430.115.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f141bc.15.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb8d60.60.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f1748c.27.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f170a4.32.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.mWyPrcv7Pl.exe.4f6c008.3.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f162c4.11.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f170a4.31.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fae9fc.87.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fae620.84.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb0008.93.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb032c.5.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f10008.19.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f1a48c.16.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f10008.18.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fae620.83.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fac8e4.59.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb2454.114.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb93a4.49.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4a5a2cc.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fc1cb0.99.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f0fb74.45.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fb25e0.24.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4fbfc48.95.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.3.Tdceco.exe.4faae3c.3.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f0f7c8.35.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.mWyPrcv7Pl.exe.4f0e894.23.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 00000005.00000000.389338625.0000000050481000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.kingnat.xyz/t3c9/"], "decoy": ["waidfu.com", "sjglyshsv.com", "sdztgy.com", "health-magazines.info", "bajoarmadura.com", "oxian.xyz", "jonspearman.com", "fusodu.online", "jx1718.net", "arminva6tinderella.xyz", "susuhiwah.com", "novotherm.online", "superbloomerz.com", "kuaida56.com", "74hc86.com", "stellumml.com", "neurocalibration.com", "pinkspirit.store", "solitaipat.com", "eassiy.com", "w-coinbase.xyz", "transliberation.space", "food2goscunthorpeonline.com", "as2082m.icu", "goodhistoryhealth.com", "albertojanderson.space", "idc169.com", "silverholleorganicfarms.com", "influxpr.com", "lechecondensada.info", "airyflamy.com", "rangersmix.com", "muadogiadungtot.site", "feldfire.store", "splitdrinks.com", "lbzyfj.com", "mydailycash.online", "ifa-samsung.com", "bzfjm.net", "001qr.com", "elylil.com", "coloradogives365.com", "vmpapp.com", "yourcoachsteph.com", "annalenaroeder.com", "gsolartech.com", "vsecom.net", "digihouse.biz", "paxof.com", "spectrumfxstudio.com", "cwmjcs.com", "borilicious.com", "bigmamma1121.com", "future.hockey", "billionaero.com", "ebavconnect.com", "essntialstore.com", "hillbumper.com", "mlnxsw.xyz", "bicyclelover.com", "sabjibajar.com", "abudhabityrerepair.com", "birdpet.store", "www6142.com"]}

Exploits
barindex
Yara detected UAC Bypass using ComputerDefaults
Source: Yara match File source: 0.2.mWyPrcv7Pl.exe.5050000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.393565168.0000000004F73000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.478199007.00000000050A9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.393402882.0000000004F18000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.393805045.0000000005079000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.468867201.00000000050B9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mWyPrcv7Pl.exe PID: 1320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Tdceco.exe PID: 5336, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Tdceco.exe PID: 1316, type: MEMORYSTR
Uses 32bit PE files
Source: mWyPrcv7Pl.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.6:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.6:49782 version: TLS 1.2
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\logagent.exe Code function: 4x nop then pop ebx 5_2_50487B1B

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.kingnat.xyz/t3c9/
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 13.107.43.12 13.107.43.12
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: mWyPrcv7Pl.exe, 00000000.00000003.360092508.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, Tdceco.exe, 00000009.00000002.452401555.0000000000793000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Tdceco.exe, 00000009.00000002.452401555.0000000000793000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: mWyPrcv7Pl.exe, 00000000.00000002.390519902.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702sedge.
Source: Tdceco.exe, 00000009.00000002.452401555.0000000000793000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/2005129
Source: mWyPrcv7Pl.exe, 00000000.00000002.390395110.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512pi.DLL
Source: mWyPrcv7Pl.exe, 00000000.00000002.390553778.00000000007DD000.00000004.00000020.00020000.00000000.sdmp, Tdceco.exe, 00000009.00000002.451924772.000000000075A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: Tdceco.exe, 00000009.00000002.451924772.000000000075A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd-
Source: mWyPrcv7Pl.exe, 00000000.00000002.390553778.00000000007DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdcmh
Source: Tdceco.exe, 00000009.00000002.451924772.000000000075A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdu(#u
Source: mWyPrcv7Pl.exe, 00000000.00000002.390582989.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Tdceco.exe, 00000009.00000002.452401555.0000000000793000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: mWyPrcv7Pl.exe, 00000000.00000002.390582989.00000000007F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyF&
Source: Tdceco.exe, 00000009.00000002.452401555.0000000000793000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policylw
Source: mWyPrcv7Pl.exe, 00000000.00000002.390582989.00000000007F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policylw#
Source: Tdceco.exe, 00000009.00000002.452401555.0000000000793000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustJslw
Source: mWyPrcv7Pl.exe, 00000000.00000002.390582989.00000000007F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustJslwg
Source: mWyPrcv7Pl.exe, 00000000.00000002.390395110.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: mWyPrcv7Pl.exe, 00000000.00000002.390395110.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicyLL
Source: Tdceco.exe, 00000009.00000002.452401555.0000000000793000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicyN
Source: Tdceco.exe, 00000009.00000002.452401555.0000000000793000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicyl
Source: mWyPrcv7Pl.exe, 00000000.00000002.390566253.00000000007E6000.00000004.00000020.00020000.00000000.sdmp, Tdceco.exe, 00000009.00000002.455823027.0000000000800000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: mWyPrcv7Pl.exe, 00000000.00000002.390566253.00000000007E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/.311.64.1.1
Source: Tdceco.exe, 00000009.00000002.455823027.0000000000800000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/JMiR
Source: mWyPrcv7Pl.exe, 00000000.00000002.390566253.00000000007E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: Tdceco.exe, 00000009.00000002.455823027.0000000000800000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/2M
Source: Tdceco.exe, 00000009.00000002.455823027.0000000000800000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/_MtR
Source: Tdceco.exe, 00000009.00000002.455823027.0000000000800000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/qN
Source: Tdceco.exe, 00000009.00000002.455823027.0000000000800000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/uM
Source: mWyPrcv7Pl.exe, Tdceco.exe String found in binary or memory: http://www.emerge.de
Source: mWyPrcv7Pl.exe, Tdceco.exe.0.dr String found in binary or memory: http://www.emerge.deDVarFileInfo$
Source: mWyPrcv7Pl.exe, Tdceco.exe.0.dr String found in binary or memory: http://www.pregrad.net
Source: mWyPrcv7Pl.exe, Tdceco.exe.0.dr String found in binary or memory: http://www.pregrad.netopenU
Source: mWyPrcv7Pl.exe, 00000000.00000002.390347917.0000000000769000.00000004.00000020.00020000.00000000.sdmp, mWyPrcv7Pl.exe, 00000000.00000002.390582989.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, mWyPrcv7Pl.exe, 00000000.00000002.390321171.000000000075D000.00000004.00000020.00020000.00000000.sdmp, mWyPrcv7Pl.exe, 00000000.00000003.377058645.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, Tdceco.exe, 00000009.00000002.452401555.0000000000793000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/
Source: mWyPrcv7Pl.exe, 00000000.00000003.377058645.00000000007F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/B&resid=FB5C5DB4B53601EB%21540&authkey=ANMH1ELgXQdJslw
Source: mWyPrcv7Pl.exe, 00000000.00000002.390321171.000000000075D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/X
Source: Tdceco.exe, 0000000C.00000002.477815728.0000000004A55000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/download?cid=FB5C5DB4B53601EB&resid=FB5C5DB4B53601EB%21540&authkey=ANMH1EL
Source: Tdceco.exe, 00000009.00000002.452401555.0000000000793000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://p5lwwa.am.files.1drv.com/
Source: mWyPrcv7Pl.exe, 00000000.00000003.360092508.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, mWyPrcv7Pl.exe, 00000000.00000003.376987642.00000000007E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://p5lwwa.am.files.1drv.com/I
Source: Tdceco.exe, 00000009.00000003.413476669.000000000081C000.00000004.00000020.00020000.00000000.sdmp, Tdceco.exe, 00000009.00000003.416632413.0000000000815000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://p5lwwa.am.files.1drv.com/y4mU_cOp4FkuMrBqpy1lAxPeL7Y4-t6nTIcmExuaSr1jPX7RC9SsyWZj-O4-vsqLM06
Source: Tdceco.exe, 00000009.00000002.455823027.0000000000800000.00000004.00000020.00020000.00000000.sdmp, Tdceco.exe, 00000009.00000003.420701517.000000000081D000.00000004.00000020.00020000.00000000.sdmp, Tdceco.exe, 00000009.00000003.432812841.0000000000825000.00000004.00000020.00020000.00000000.sdmp, Tdceco.exe, 00000009.00000002.452401555.0000000000793000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://p5lwwa.am.files.1drv.com/y4mWaWHLDrKa1inK4H1-418q8gR5LOHQWd0yslABzjJdjTslqzhgckkVhZZLptEbF7n
Source: mWyPrcv7Pl.exe, 00000000.00000003.360092508.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, mWyPrcv7Pl.exe, 00000000.00000002.390612505.000000000080C000.00000004.00000020.00020000.00000000.sdmp, mWyPrcv7Pl.exe, 00000000.00000003.377084072.000000000080C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://p5lwwa.am.files.1drv.com/y4mgzNYyFWCuoL1CpJfXG2nhOmpagM85vjzT_hk23otZxY8j9kthxhLVo3LgW441-iw
Source: mWyPrcv7Pl.exe, 00000000.00000003.377084072.000000000080C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://p5lwwa.am.files.1drv.com/y4msw-fK9n4RvVHniohtl1pJS-yLFYm8CD02pmUoRRn43kEG_ADEfWFKSlO_5d-N-oI
Source: mWyPrcv7Pl.exe, 00000000.00000003.360092508.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, mWyPrcv7Pl.exe, 00000000.00000002.390452872.00000000007AA000.00000004.00000020.00020000.00000000.sdmp, mWyPrcv7Pl.exe, 00000000.00000002.390410776.00000000007A7000.00000004.00000020.00020000.00000000.sdmp, mWyPrcv7Pl.exe, 00000000.00000002.390612505.000000000080C000.00000004.00000020.00020000.00000000.sdmp, mWyPrcv7Pl.exe, 00000000.00000003.377084072.000000000080C000.00000004.00000020.00020000.00000000.sdmp, Tdceco.exe, 00000009.00000003.416773209.0000000000824000.00000004.00000020.00020000.00000000.sdmp, Tdceco.exe, 00000009.00000003.432827055.000000000082D000.00000004.00000020.00020000.00000000.sdmp, Tdceco.exe, 00000009.00000002.452401555.0000000000793000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://p5lwwa.am.files.1drv.com/y4mvhKZp4Gd64KYamq2Wfd2SQv3HKrsqfBmLESdWEMe08HDbW6BDnz0-DxqxDMbfg2p
Source: unknown DNS traffic detected: queries for: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /y4mgzNYyFWCuoL1CpJfXG2nhOmpagM85vjzT_hk23otZxY8j9kthxhLVo3LgW441-iwIh8I2hDn-UNAyUZte-8CDcbI6mjERFyHQvM5lOMpPUcp7dXSNoVMY08rwVPjcDqmshWD_m0BtUzyYLclLlxVwpniw7rMNzYknJCnTKcNFoNHorlwCremlDoXBOv5xoKy9xFHzExo4SqFx77jluAO1w/Tdcecogbbgrxarcelvdgocpkcdmqukp?download&psid=1 HTTP/1.1User-Agent: lValiHost: p5lwwa.am.files.1drv.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /y4msw-fK9n4RvVHniohtl1pJS-yLFYm8CD02pmUoRRn43kEG_ADEfWFKSlO_5d-N-oIPgs43fFTG0AhbrwTaPAJ85Dl25iL1IoO7lHS9lk80VOWo8yA7O8gsh7f_1W-YE4WSTx_DyFGHvC6ylTsygqSOJ1QGvVToggN3Vrt2wBfOq_inO0YBhZfikv3CrmcRYGDeWlhoaRiIuAqhUoiGtrzvQ/Tdcecogbbgrxarcelvdgocpkcdmqukp?download&psid=1 HTTP/1.1User-Agent: 29Cache-Control: no-cacheHost: p5lwwa.am.files.1drv.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /y4mU_cOp4FkuMrBqpy1lAxPeL7Y4-t6nTIcmExuaSr1jPX7RC9SsyWZj-O4-vsqLM06YNMh3Q5d0cwLEHQdArqf5FRqlxByoCRcLVdAJBOIYw-15i_tur2Q4cpiC3ltpX5Vuf6B9eYf9RDkDDRQe9atVCwDZdR-_MuvZgXWQLOlRdRZatQBi09VHObunb1Y-bFCDz8gRJfojhZ97POyKx6NdQ/Tdcecogbbgrxarcelvdgocpkcdmqukp?download&psid=1 HTTP/1.1User-Agent: lValiHost: p5lwwa.am.files.1drv.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /y4mWaWHLDrKa1inK4H1-418q8gR5LOHQWd0yslABzjJdjTslqzhgckkVhZZLptEbF7ndQ_lX3hAzKtmxmKLkKoh_hOoV_JQR-EgEudu5yE6WeSxYG9Dp8AYZBrdKmH4vWosv4HmD7AL1CuOg2XRAncH98temHxOIl2gz4xWzEHjt_yiVKKE7vnQWji5idDo64O4jlghaSFcD1evnS6W_9DV8Q/Tdcecogbbgrxarcelvdgocpkcdmqukp?download&psid=1 HTTP/1.1User-Agent: 89Cache-Control: no-cacheHost: p5lwwa.am.files.1drv.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /y4mIx7EMYi-_CrI1jeCrh5BbHSVImrRELVMsUNnh9K-bIFLJQ86upt4s7O3Y9ahcolOPp0MlLGsVuo9XLF1rjBed_3gg1exMq6fJbpn8iXpcV-8eTyI2h1Z3vyJLZElnm-CkQGWPPkHN5HUZYBN0p1tMv8Gwyy1LA_wkheClqsb6BNkjeP0rNcovyWO88SDWpLOIwmnl4ZK0hODROt5TrsnGg/Tdcecogbbgrxarcelvdgocpkcdmqukp?download&psid=1 HTTP/1.1User-Agent: lValiHost: p5lwwa.am.files.1drv.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /y4mg-DHcHfDPwIEu14sqxJyRZsryuh1g85uk6OFK2GIjs72wZESTb1fRA8K_iSfWQEYtoouzDxBltKddN1Av6UMrT1igS3asX2Ub5nMyzzNHe1ElN6oIFeFAsb76-p7XcS9XaWDDD0uiOMHwkSOZMFc0reu1fq666DxIfR2x7R8JpvyoQZ7Fo6AbBps1dyU-ZtyLWKa7YwP_DeWKIrs8ghU8A/Tdcecogbbgrxarcelvdgocpkcdmqukp?download&psid=1 HTTP/1.1User-Agent: 81Cache-Control: no-cacheHost: p5lwwa.am.files.1drv.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.6:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.6:49782 version: TLS 1.2
Creates a DirectInput object (often for capturing keystrokes)
Source: Tdceco.exe, 00000009.00000002.451924772.000000000075A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: mWyPrcv7Pl.exe PID: 1320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Tdceco.exe PID: 5336, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 00000005.00000000.389338625.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.475401299.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.474297388.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.388219824.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.475449028.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.474331045.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.453262213.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.450674781.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.448442366.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.473577775.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.503688702.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.394645483.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.449569944.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.394525004.0000000005513000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.447559623.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.388844509.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.473551202.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.502458592.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.395850704.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.436669123.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.503717649.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.519512838.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.472847590.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.502333065.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.389772957.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.519477027.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.463823429.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.472811054.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000005.00000000.389338625.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000000.389338625.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.389338625.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.475401299.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000000.475401299.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.475401299.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.474297388.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000000.474297388.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.474297388.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.388219824.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000000.388219824.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.388219824.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.475449028.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000000.475449028.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.475449028.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.474331045.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000000.474331045.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.474331045.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.453262213.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000000.453262213.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.453262213.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.450674781.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000000.450674781.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.450674781.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.448442366.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000000.448442366.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.448442366.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.473577775.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000000.473577775.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.473577775.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.503688702.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000000.503688702.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.503688702.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.394645483.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000000.394645483.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.394645483.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.449569944.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000000.449569944.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.449569944.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.394525004.0000000005513000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.394525004.0000000005513000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.394525004.0000000005513000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.447559623.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000000.447559623.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.447559623.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.388844509.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000000.388844509.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.388844509.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.473551202.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000000.473551202.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.473551202.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.502458592.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000000.502458592.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.502458592.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.395850704.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000000.395850704.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.395850704.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.436669123.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.436669123.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.436669123.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.503717649.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000000.503717649.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.503717649.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.519512838.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.519512838.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.519512838.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.472847590.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000000.472847590.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.472847590.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.502333065.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000000.502333065.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.502333065.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.389772957.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000000.389772957.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.389772957.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.519477027.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.519477027.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.519477027.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.463823429.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000000.463823429.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.463823429.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.472811054.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000000.472811054.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.472811054.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: mWyPrcv7Pl.exe PID: 1320, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: logagent.exe PID: 5980, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: logagent.exe PID: 4004, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Uses 32bit PE files
Source: mWyPrcv7Pl.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Yara signature match
Source: 00000005.00000000.389338625.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000000.389338625.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.389338625.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.475401299.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000000.475401299.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.475401299.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.474297388.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000000.474297388.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.474297388.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.388219824.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000000.388219824.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.388219824.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.475449028.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000000.475449028.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.475449028.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.474331045.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000000.474331045.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.474331045.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.453262213.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000000.453262213.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.453262213.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.450674781.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000000.450674781.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.450674781.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.448442366.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000000.448442366.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.448442366.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.473577775.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000000.473577775.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.473577775.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.503688702.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000000.503688702.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.503688702.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.394645483.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000000.394645483.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.394645483.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.449569944.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000000.449569944.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.449569944.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.394525004.0000000005513000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.394525004.0000000005513000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.394525004.0000000005513000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.447559623.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000000.447559623.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.447559623.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.388844509.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000000.388844509.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.388844509.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.473551202.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000000.473551202.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.473551202.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.502458592.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000000.502458592.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.502458592.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.395850704.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000000.395850704.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.395850704.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.436669123.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.436669123.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.436669123.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.503717649.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000000.503717649.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.503717649.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.519512838.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.519512838.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.519512838.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.472847590.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000000.472847590.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.472847590.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.502333065.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000000.502333065.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.502333065.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.389772957.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000000.389772957.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.389772957.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.519477027.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.519477027.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.519477027.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.463823429.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000000.463823429.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.463823429.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.472811054.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000000.472811054.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.472811054.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: mWyPrcv7Pl.exe PID: 1320, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: logagent.exe PID: 5980, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: logagent.exe PID: 4004, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: C:\Users\Public\Libraries\ocecdT.url, type: DROPPED Matched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: C:\Users\Public\Libraries\ocecdT.url, type: DROPPED Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
One or more processes crash
Source: C:\Windows\SysWOW64\logagent.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5980 -s 492
Detected potential crypto function
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Code function: 0_3_03C2F88D 0_3_03C2F88D
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Code function: 0_3_03BE4EE0 0_3_03BE4EE0
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Code function: 0_3_03BE135B 0_3_03BE135B
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Code function: 0_3_03BD80E3 0_3_03BD80E3
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Code function: 0_3_04A598BC 0_3_04A598BC
Source: C:\Windows\SysWOW64\logagent.exe Code function: 5_2_50481030 5_2_50481030
Source: C:\Windows\SysWOW64\logagent.exe Code function: 5_2_5049D97E 5_2_5049D97E
Source: C:\Windows\SysWOW64\logagent.exe Code function: 5_2_5049D563 5_2_5049D563
Source: C:\Windows\SysWOW64\logagent.exe Code function: 5_2_50482D90 5_2_50482D90
Source: C:\Windows\SysWOW64\logagent.exe Code function: 5_2_50489E4C 5_2_50489E4C
Source: C:\Windows\SysWOW64\logagent.exe Code function: 5_2_50489E50 5_2_50489E50
Source: C:\Windows\SysWOW64\logagent.exe Code function: 5_2_5049E68E 5_2_5049E68E
Source: C:\Windows\SysWOW64\logagent.exe Code function: 5_2_5049E70A 5_2_5049E70A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 5_2_50482FB0 5_2_50482FB0
Source: C:\Users\Public\Libraries\Tdceco.exe Code function: 9_3_03C8F8C1 9_3_03C8F8C1
Source: C:\Users\Public\Libraries\Tdceco.exe Code function: 9_3_03C38117 9_3_03C38117
Source: C:\Users\Public\Libraries\Tdceco.exe Code function: 9_3_03C8F8C1 9_3_03C8F8C1
PE file contains executable resources (Code or Archives)
Source: mWyPrcv7Pl.exe Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: Tdceco.exe.0.dr Static PE information: Resource name: RT_STRING type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: mWyPrcv7Pl.exe Binary or memory string: OriginalFilename vs mWyPrcv7Pl.exe
Source: mWyPrcv7Pl.exe, 00000000.00000002.391440399.0000000003C9E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename`@ vs mWyPrcv7Pl.exe
Source: mWyPrcv7Pl.exe, 00000000.00000002.391456442.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename`@ vs mWyPrcv7Pl.exe
Source: mWyPrcv7Pl.exe, 00000000.00000000.351309617.00000000004AC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename`@ vs mWyPrcv7Pl.exe
Source: mWyPrcv7Pl.exe, 00000000.00000003.352621498.0000000003C85000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename`@ vs mWyPrcv7Pl.exe
Source: mWyPrcv7Pl.exe, 00000000.00000003.351828503.00000000022C4000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs mWyPrcv7Pl.exe
Source: mWyPrcv7Pl.exe, 00000000.00000002.391251759.0000000003BD6000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename`@ vs mWyPrcv7Pl.exe
Source: mWyPrcv7Pl.exe, 00000000.00000003.381378274.0000000004D7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename`@ vs mWyPrcv7Pl.exe
Source: mWyPrcv7Pl.exe, 00000000.00000003.354784423.0000000004B1B000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename`@ vs mWyPrcv7Pl.exe
Source: mWyPrcv7Pl.exe, 00000000.00000002.393103798.0000000004A44000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename`@ vs mWyPrcv7Pl.exe
Source: mWyPrcv7Pl.exe, 00000000.00000003.352239256.0000000003BE0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename`@ vs mWyPrcv7Pl.exe
Source: mWyPrcv7Pl.exe Binary or memory string: OriginalFilename`@ vs mWyPrcv7Pl.exe
PE file contains strange resources
Source: mWyPrcv7Pl.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mWyPrcv7Pl.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Tdceco.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Tdceco.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Section loaded: system.dll Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Section loaded: system.dll Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Section loaded: kernel.dll Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Section loaded: ahadmin.dll Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Section loaded: ahadmin.dll Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Section loaded: racertmgr.dll Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Section loaded: system.dll Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Section loaded: system.dll Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Section loaded: kernel.dll Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Section loaded: ahadmin.dll Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Section loaded: ahadmin.dll Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Section loaded: racertmgr.dll Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Section loaded: system.dll Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Section loaded: system.dll Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Section loaded: kernel.dll Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Section loaded: ahadmin.dll Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Section loaded: ahadmin.dll Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Section loaded: racertmgr.dll Jump to behavior
Source: mWyPrcv7Pl.exe Metadefender: Detection: 45%
Source: mWyPrcv7Pl.exe ReversingLabs: Detection: 76%
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe File read: C:\Users\user\Desktop\mWyPrcv7Pl.exe Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\mWyPrcv7Pl.exe "C:\Users\user\Desktop\mWyPrcv7Pl.exe"
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process created: C:\Windows\SysWOW64\logagent.exe "C:\Windows\System32\logagent.exe"
Source: C:\Windows\SysWOW64\logagent.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5980 -s 492
Source: unknown Process created: C:\Users\Public\Libraries\Tdceco.exe "C:\Users\Public\Libraries\Tdceco.exe"
Source: unknown Process created: C:\Users\Public\Libraries\Tdceco.exe "C:\Users\Public\Libraries\Tdceco.exe"
Source: C:\Users\Public\Libraries\Tdceco.exe Process created: C:\Windows\SysWOW64\logagent.exe "C:\Windows\System32\logagent.exe"
Source: C:\Users\Public\Libraries\Tdceco.exe Process created: C:\Windows\SysWOW64\logagent.exe "C:\Windows\System32\logagent.exe"
Source: C:\Windows\SysWOW64\logagent.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 492
Source: C:\Users\Public\Libraries\Tdceco.exe Process created: C:\Windows\SysWOW64\logagent.exe "C:\Windows\System32\logagent.exe"
Source: C:\Windows\SysWOW64\logagent.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 532
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process created: C:\Windows\SysWOW64\logagent.exe "C:\Windows\System32\logagent.exe" Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process created: C:\Windows\SysWOW64\logagent.exe "C:\Windows\System32\logagent.exe" Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process created: C:\Windows\SysWOW64\logagent.exe "C:\Windows\System32\logagent.exe" Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process created: C:\Windows\SysWOW64\logagent.exe "C:\Windows\System32\logagent.exe" Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B091E540-83E3-11CF-A713-0020AFD79762}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\Tdcecogbbgrxarcelvdgocpkcdmqukp[1] Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2754.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winEXE@14/18@6/2
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5980
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4004
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected

Data Obfuscation
barindex
Yara detected DBatLoader
Source: Yara match File source: mWyPrcv7Pl.exe, type: SAMPLE
Source: Yara match File source: 0.0.mWyPrcv7Pl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.351200993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.391456442.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.390707800.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.462348306.00000000021F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.465195848.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\Public\Libraries\Tdceco.exe, type: DROPPED
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Code function: 0_3_03C31DC5 push 004A38D2h; ret 0_3_03C31DE3
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Code function: 0_3_03C2EE71 push 004A0C11h; ret 0_3_03C2F122
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Code function: 0_3_03C31D81 push 004A38A0h; ret 0_3_03C31DB1
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Code function: 0_3_03C31D09 push 004A3816h; ret 0_3_03C31D27
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Code function: 0_3_03C2F9A1 push 004A14B3h; ret 0_3_03C2F9C4
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Code function: 0_3_03C31D35 push 004A385Eh; ret 0_3_03C31D6F
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Code function: 0_3_03BDA58B push 004A385Eh; ret 0_3_03BDA5C5
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Code function: 0_3_03BD81F7 push 004A14B3h; ret 0_3_03BD821A
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Code function: 0_3_03BDA5D7 push 004A38A0h; ret 0_3_03BDA607
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Code function: 0_3_03BDA61B push 004A38D2h; ret 0_3_03BDA639
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Code function: 0_3_03BDA55F push 004A3816h; ret 0_3_03BDA57D
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Code function: 0_3_03BDA743 push 380043CAh; retf 0043h 0_3_03BDA748
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Code function: 0_3_04A5AC9C push eax; ret 0_3_04A5ACD8
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Code function: 0_3_04A5C28C push eax; ret 0_3_04A5C2C8
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Code function: 0_3_04A5C296 push eax; ret 0_3_04A5C2C8
Source: C:\Windows\SysWOW64\logagent.exe Code function: 5_2_5049E8EB push dword ptr [2698C6AAh]; ret 5_2_5049E90D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 5_2_5049E895 push dword ptr [359F78B3h]; ret 5_2_5049E8B8
Source: C:\Windows\SysWOW64\logagent.exe Code function: 5_2_504979BB push ds; iretd 5_2_504979EF
Source: C:\Windows\SysWOW64\logagent.exe Code function: 5_2_5049D475 push eax; ret 5_2_5049D4C8
Source: C:\Windows\SysWOW64\logagent.exe Code function: 5_2_5049D4CB push eax; ret 5_2_5049D532
Source: C:\Windows\SysWOW64\logagent.exe Code function: 5_2_5049D4C2 push eax; ret 5_2_5049D4C8
Source: C:\Windows\SysWOW64\logagent.exe Code function: 5_2_5049D52C push eax; ret 5_2_5049D532
Source: C:\Windows\SysWOW64\logagent.exe Code function: 5_2_50496754 pushfd ; retf 5_2_50496755
Source: C:\Users\Public\Libraries\Tdceco.exe Code function: 9_3_03C8EEA5 push 004A0C11h; ret 9_3_03C8F156
Source: C:\Users\Public\Libraries\Tdceco.exe Code function: 9_3_03C81E12 push dword ptr [edi+edi*8-002C005Ch]; ret 9_3_03C81E35
Source: C:\Users\Public\Libraries\Tdceco.exe Code function: 9_3_03C8F9D5 push 004A14B3h; ret 9_3_03C8F9F8
Source: C:\Users\Public\Libraries\Tdceco.exe Code function: 9_3_03C91DF9 push 004A38D2h; ret 9_3_03C91E17
Source: C:\Users\Public\Libraries\Tdceco.exe Code function: 9_3_03C91DB5 push 004A38A0h; ret 9_3_03C91DE5
Source: C:\Users\Public\Libraries\Tdceco.exe Code function: 9_3_03C91D69 push 004A385Eh; ret 9_3_03C91DA3
Source: C:\Users\Public\Libraries\Tdceco.exe Code function: 9_3_03C7F166 push ecx; iretd 9_3_03C7F167
Source: C:\Users\Public\Libraries\Tdceco.exe Code function: 9_3_03C91D3D push 004A3816h; ret 9_3_03C91D5B
Drops PE files
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe File created: C:\Users\Public\Libraries\Tdceco.exe Jump to dropped file
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Tdceco Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Tdceco Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\logagent.exe Code function: 5_2_50489900 rdtsc 5_2_50489900
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process information queried: ProcessInformation Jump to behavior
Source: mWyPrcv7Pl.exe, 00000000.00000002.390452872.00000000007AA000.00000004.00000020.00020000.00000000.sdmp, mWyPrcv7Pl.exe, 00000000.00000002.390347917.0000000000769000.00000004.00000020.00020000.00000000.sdmp, Tdceco.exe, 00000009.00000002.455823027.0000000000800000.00000004.00000020.00020000.00000000.sdmp, Tdceco.exe, 00000009.00000002.452401555.0000000000793000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Tdceco.exe, 00000009.00000002.455823027.0000000000800000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW,
Source: mWyPrcv7Pl.exe, 00000000.00000002.390395110.00000000007A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWd
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\logagent.exe Code function: 5_2_50489900 rdtsc 5_2_50489900
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\logagent.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Code function: 0_3_04A580BC LdrInitializeThunk, 0_3_04A580BC

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 50480000 Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: E70000 Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: F50000 Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 50480000 Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 3560000 Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 36B0000 Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 50500000 Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 36D0000 Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 3730000 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 50480000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: E70000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: F50000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 50480000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 3560000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 36B0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 50500000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 36D0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 3730000 protect: page execute and read and write Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Thread created: C:\Windows\SysWOW64\logagent.exe EIP: F50000 Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 36B0000 Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 3730000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\mWyPrcv7Pl.exe Process created: C:\Windows\SysWOW64\logagent.exe "C:\Windows\System32\logagent.exe" Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process created: C:\Windows\SysWOW64\logagent.exe "C:\Windows\System32\logagent.exe" Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process created: C:\Windows\SysWOW64\logagent.exe "C:\Windows\System32\logagent.exe" Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Process created: C:\Windows\SysWOW64\logagent.exe "C:\Windows\System32\logagent.exe" Jump to behavior
Source: C:\Users\Public\Libraries\Tdceco.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 00000005.00000000.389338625.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.475401299.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.474297388.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.388219824.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.475449028.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.474331045.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.453262213.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.450674781.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.448442366.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.473577775.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.503688702.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.394645483.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.449569944.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.394525004.0000000005513000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.447559623.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.388844509.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.473551202.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.502458592.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.395850704.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.436669123.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.503717649.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.519512838.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.472847590.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.502333065.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.389772957.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.519477027.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.463823429.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.472811054.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 00000005.00000000.389338625.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.475401299.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.474297388.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.388219824.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.475449028.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.474331045.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.453262213.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.450674781.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.448442366.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.473577775.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.503688702.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.394645483.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.449569944.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.394525004.0000000005513000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.447559623.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.388844509.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.473551202.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.502458592.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.395850704.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.436669123.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.503717649.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.519512838.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.472847590.0000000050501000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.502333065.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.389772957.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.519477027.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.463823429.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.472811054.0000000050481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679238 Sample: mWyPrcv7Pl Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected UAC Bypass using ComputerDefaults 2->52 54 3 other signatures 2->54 7 mWyPrcv7Pl.exe 1 18 2->7         started        12 Tdceco.exe 16 2->12         started        14 Tdceco.exe 16 2->14         started        process3 dnsIp4 34 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49737, 49755 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->34 36 p5lwwa.am.files.1drv.com 7->36 42 2 other IPs or domains 7->42 30 C:\Users\Public\Libraries\Tdceco.exe, PE32 7->30 dropped 32 C:\Users\...\Tdceco.exe:Zone.Identifier, ASCII 7->32 dropped 56 Writes to foreign memory regions 7->56 58 Allocates memory in foreign processes 7->58 60 Creates a thread in another existing process (thread injection) 7->60 16 logagent.exe 7->16         started        38 192.168.2.1 unknown unknown 12->38 40 p5lwwa.am.files.1drv.com 12->40 44 2 other IPs or domains 12->44 62 Multi AV Scanner detection for dropped file 12->62 18 logagent.exe 12->18         started        46 3 other IPs or domains 14->46 20 logagent.exe 14->20         started        22 logagent.exe 14->22         started        file5 signatures6 process7 process8 24 WerFault.exe 23 9 16->24         started        26 WerFault.exe 18->26         started        28 WerFault.exe 18->28         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
13.107.43.12
 l-0003.l-dc-msedge.net United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
l-0003.l-dc-msedge.net 13.107.43.12 true
onedrive.live.com unknown unknown
p5lwwa.am.files.1drv.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://p5lwwa.am.files.1drv.com/y4mWaWHLDrKa1inK4H1-418q8gR5LOHQWd0yslABzjJdjTslqzhgckkVhZZLptEbF7ndQ_lX3hAzKtmxmKLkKoh_hOoV_JQR-EgEudu5yE6WeSxYG9Dp8AYZBrdKmH4vWosv4HmD7AL1CuOg2XRAncH98temHxOIl2gz4xWzEHjt_yiVKKE7vnQWji5idDo64O4jlghaSFcD1evnS6W_9DV8Q/Tdcecogbbgrxarcelvdgocpkcdmqukp?download&psid=1 false
    		high
    https://p5lwwa.am.files.1drv.com/y4mg-DHcHfDPwIEu14sqxJyRZsryuh1g85uk6OFK2GIjs72wZESTb1fRA8K_iSfWQEYtoouzDxBltKddN1Av6UMrT1igS3asX2Ub5nMyzzNHe1ElN6oIFeFAsb76-p7XcS9XaWDDD0uiOMHwkSOZMFc0reu1fq666DxIfR2x7R8JpvyoQZ7Fo6AbBps1dyU-ZtyLWKa7YwP_DeWKIrs8ghU8A/Tdcecogbbgrxarcelvdgocpkcdmqukp?download&psid=1 false
      		high
      www.kingnat.xyz/t3c9/ true
      • Avira URL Cloud: safe
      		 low
      https://p5lwwa.am.files.1drv.com/y4msw-fK9n4RvVHniohtl1pJS-yLFYm8CD02pmUoRRn43kEG_ADEfWFKSlO_5d-N-oIPgs43fFTG0AhbrwTaPAJ85Dl25iL1IoO7lHS9lk80VOWo8yA7O8gsh7f_1W-YE4WSTx_DyFGHvC6ylTsygqSOJ1QGvVToggN3Vrt2wBfOq_inO0YBhZfikv3CrmcRYGDeWlhoaRiIuAqhUoiGtrzvQ/Tdcecogbbgrxarcelvdgocpkcdmqukp?download&psid=1 false
        		high
        https://p5lwwa.am.files.1drv.com/y4mgzNYyFWCuoL1CpJfXG2nhOmpagM85vjzT_hk23otZxY8j9kthxhLVo3LgW441-iwIh8I2hDn-UNAyUZte-8CDcbI6mjERFyHQvM5lOMpPUcp7dXSNoVMY08rwVPjcDqmshWD_m0BtUzyYLclLlxVwpniw7rMNzYknJCnTKcNFoNHorlwCremlDoXBOv5xoKy9xFHzExo4SqFx77jluAO1w/Tdcecogbbgrxarcelvdgocpkcdmqukp?download&psid=1 false
          		high