Windows Analysis Report
1a#U00bb.exe

Overview

General Information

Sample Name: 1a#U00bb.exe
Analysis ID: 680373
MD5: 251ef95e26d436e7bfe64636978dcc4b
SHA1: 20e2ea6899d155780231abde49730046865c046b
SHA256: 15e1d48f4ba136aa876c88c4fb16fe160795f40e9850252ce1a4f3a695b4fcb7
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Yara detected UAC Bypass using ComputerDefaults
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 1a#U00bb.exe Virustotal: Detection: 32% Perma Link
Source: 1a#U00bb.exe ReversingLabs: Detection: 34%
Yara detected FormBook
Source: Yara match File source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Libraries\Djfypqyfx.exe ReversingLabs: Detection: 34%
Machine Learning detection for sample
Source: 1a#U00bb.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\Public\Libraries\Djfypqyfx.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.cmd.exe.50410000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.cmd.exe.50410000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.cmd.exe.50410000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.1a#U00bb.exe.2637778.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 5.0.cmd.exe.50410000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.cmd.exe.50410000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.bradwareham.com/2dou/"], "decoy": ["/OEd9KnwK/iP", "zlyDQht5zbJFuAXSIdTUjw==", "kDYUq8UfDwCluA34CDyS", "7HZOV1qT4rFI5mpJrcnoWVc=", "nnBRxMHdw4wosAXSIdTUjw==", "sdQ/2s4XC8g0MFFBBEfViR1V", "oHDnk6LHnHUHiwsLn33GBcm+egCb", "yV2U0Zf13bN3D3x7Df9++fDhF7CILTul", "cUbD5d4TmWcGB+BgyA==", "Kky9XlCLiTQfNUk1/zQ=", "ejVhmGLOqY9fiNPrefZMfFM=", "lVvGdVA2G/K9r8Bdwg==", "Gj+ogjaA9c92ElYsqMnoWVc=", "9yiEqVFDpWT9JJ/cfNrPhw==", "j2DBby8l6rlNV1HhxqOa", "jJoCUeXDOwrETLssvPAFS1E=", "kTJX5Y2Uj2U13OlkcUguJN+eCqGILTul", "VQTbC33cwRTrePw=", "JhV0w4/tyLmFrur+5EHViR1V", "DyZj5vhGPxKtdLzixvlTWFHQU6hIAk2mWw==", "12U9E8X0E92F", "z5HQwa7lRi2/OI74c0aF", "bQsb5a29o3paQIHN6jQ=", "y5HYxYiVCAC5r8Bdwg==", "269NSBh1VCMCSeM=", "1nZZpmfNICP+pNv7WzY=", "bfkgXcI2E9GSQfb4CDyS", "GvZX5N4sGwu0tO8hAd65bfvI++iOb++t", "ESeLNUJmP7mFCVoMjPDFgDUpX+Y=", "VW3K5bgQ55UsXLXxs4aSyIi2I6SILTul", "w2ZJUGKeHeOB3x+d3w==", "Rl261Z+P5r1cXuL4CDyS", "iaoLqarFoIIPihgj/UTViR1V", "UfPoA+jvYE8i5PVr0oZz+3zDvu4=", "sEl4u1N7SiHI/oX5Yt8TVF2Rww==", "ihtTSoHvvRTrePw=", "SGa6AsX0E92F", "PtcQ3Y7RNg2wYOPselSgH7JSxncv8d0=", "5P9njGFf3aqSfNL9", "9I3Q/7YN8L1PYW8/qcnoWVc=", "mSlfnm7TqHUal+BXwQ==", "epsPWRx9lkIdSFxEED0=", "iLEhS0xp2aqSfNL9", "DrWkgDQmekHh72bApvZfh2Jxblk9/dU=", "myf+DvRILfrJbZfPXjw=", "dwHgvnjUtHMGi/Wr+SYM/o/9xg==", "z5mGlY+9EfKVFF79IdTUjw==", "02GPzaC8PxK683jjNoJ4eP3WASbMfw==", "cpz/Rh+BVC8Lywr4CDyS", "eh8D+QYnhE78OsL4c0aF", "fJvt8/Unr2kCJmilinFMOsIz3w==", "eiX8Y0x8Xyra/AUHl3PB/9G9X9NbYA==", "hzVzNdD6iSG0WJfPXjw=", "3XFOI99VVy3vkADSRnZLA8gjowStdw==", "gUuIy3iTa0PVWZfPXjw=", "u09/Bvc/PhPekNv7WzY=", "lzUY+MImAbtHXai84L2zq7xd", "tEh3sX3hyk0wbMr14ETViR1V", "q0k0lVzZVUXxnhwO7leqpagfowStdw==", "x+lIFdjd5smUWZ3pzQdimF8=", "fh9Sg0CljRTrePw=", "oHIeFMb0E92F", "23utFO8RLgGlvA34CDyS", "/hl0LfDlqXALM3vFqOZCPM2+egCb"]}

Exploits
barindex
Yara detected UAC Bypass using ComputerDefaults
Source: Yara match File source: 0.2.1a#U00bb.exe.2637778.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1a#U00bb.exe.2637778.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.303458989.0000000002268000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.303584675.00000000025FD000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.379536299.00000000022D8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.319230317.00000000023A8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1a#U00bb.exe PID: 6128, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Djfypqyfx.exe PID: 5068, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Djfypqyfx.exe PID: 5460, type: MEMORYSTR
Uses 32bit PE files
Source: 1a#U00bb.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 109.234.162.66:443 -> 192.168.2.3:49738 version: TLS 1.2
Source: Binary string: wscript.pdbGCTL source: cmd.exe, 00000005.00000002.488066235.0000000005380000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: cmd.exe, 00000005.00000003.305572932.0000000003502000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.301795534.0000000003371000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000002.543274704.000000000513F000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000003.475337207.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000002.539671067.0000000005020000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000003.480850026.0000000004E88000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: cmd.exe, cmd.exe, 00000005.00000003.305572932.0000000003502000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.301795534.0000000003371000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000002.543274704.000000000513F000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000003.475337207.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000002.539671067.0000000005020000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000003.480850026.0000000004E88000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wscript.pdb source: cmd.exe, 00000005.00000002.488066235.0000000005380000.00000040.10000000.00040000.00000000.sdmp

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.bradwareham.com/2dou/
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: 1a#U00bb.exe, 00000000.00000003.260419711.0000000000581000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000014.00000000.398232671.000000000DDE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.433438029.000000000DDE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.460718387.000000000DDE3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.microsoft.co0
Source: wscript.exe, 0000001E.00000002.546799518.00000000056A6000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.admiral-juegos.com/?fp=kkRBX1Mn5VLBDZ2cLYLxqMJfDhR5T9gHAiN23tab35viuN5iJaTX3x0tDUZhqU%2Fe
Source: 1a#U00bb.exe, 00000000.00000003.261044820.00000000005A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://resimarmo.com/
Source: Djfypqyfx.exe, 0000000F.00000002.380461413.000000000349E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://resimarmo.com/yakdatafilesloadsonedrivedocumentsuploadgoogledownload/Djfypqyfxwyivtfoakxovbb
Source: unknown DNS traffic detected: queries for: resimarmo.com
Source: global traffic HTTP traffic detected: GET /yakdatafilesloadsonedrivedocumentsuploadgoogledownload/Djfypqyfxwyivtfoakxovbbaompeayl HTTP/1.1User-Agent: lValiHost: resimarmo.com
Source: global traffic HTTP traffic detected: GET /yakdatafilesloadsonedrivedocumentsuploadgoogledownload/Djfypqyfxwyivtfoakxovbbaompeayl HTTP/1.1User-Agent: 7@Host: resimarmo.com
Source: unknown HTTPS traffic detected: 109.234.162.66:443 -> 192.168.2.3:49738 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: 1a#U00bb.exe PID: 6128, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmd.exe PID: 5692, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: Djfypqyfx.exe PID: 5068, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: Djfypqyfx.exe PID: 5460, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: wscript.exe PID: 1428, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Uses 32bit PE files
Source: 1a#U00bb.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Yara signature match
Source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: 1a#U00bb.exe PID: 6128, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 5692, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: Djfypqyfx.exe PID: 5068, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: Djfypqyfx.exe PID: 5460, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: wscript.exe PID: 1428, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: C:\Users\Public\Libraries\xfyqpyfjD.url, type: DROPPED Matched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: C:\Users\Public\Libraries\xfyqpyfjD.url, type: DROPPED Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Detected potential crypto function
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EAB40 5_2_036EAB40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03792B28 5_2_03792B28
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037803DA 5_2_037803DA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0378DBD2 5_2_0378DBD2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036FEBB0 5_2_036FEBB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0377FA2B 5_2_0377FA2B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037922AE 5_2_037922AE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036E4120 5_2_036E4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036CF900 5_2_036CF900
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036E99BF 5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0379E824 5_2_0379E824
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EA830 5_2_036EA830
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03781002 5_2_03781002
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037928EC 5_2_037928EC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F20A0 5_2_036F20A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037920A8 5_2_037920A8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036DB090 5_2_036DB090
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03791FF1 5_2_03791FF1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0379DFCE 5_2_0379DFCE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036E6E30 5_2_036E6E30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0378D616 5_2_0378D616
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03792EF7 5_2_03792EF7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03791D55 5_2_03791D55
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C0D20 5_2_036C0D20
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03792D07 5_2_03792D07
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036DD5E0 5_2_036DD5E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037925DD 5_2_037925DD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F2581 5_2_036F2581
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0378D466 5_2_0378D466
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D841F 5_2_036D841F
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 036CB150 appears 66 times
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0370A3B0 NtGetContextThread,LdrInitializeThunk, 5_2_0370A3B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03709A50 NtCreateFile,LdrInitializeThunk, 5_2_03709A50
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03709A20 NtResumeThread,LdrInitializeThunk, 5_2_03709A20
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03709950 NtQueueApcThread,LdrInitializeThunk, 5_2_03709950
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03709910 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_03709910
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037099A0 NtCreateSection,LdrInitializeThunk, 5_2_037099A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03709860 NtQuerySystemInformation,LdrInitializeThunk, 5_2_03709860
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0370B040 NtSuspendThread,LdrInitializeThunk, 5_2_0370B040
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03709840 NtDelayExecution,LdrInitializeThunk, 5_2_03709840
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03709710 NtQueryInformationToken,LdrInitializeThunk, 5_2_03709710
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03709FE0 NtCreateMutant,LdrInitializeThunk, 5_2_03709FE0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037097A0 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_037097A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03709780 NtMapViewOfSection,LdrInitializeThunk, 5_2_03709780
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037096E0 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_037096E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03709540 NtReadFile,LdrInitializeThunk, 5_2_03709540
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0370AD30 NtSetContextThread,LdrInitializeThunk, 5_2_0370AD30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037095D0 NtClose,LdrInitializeThunk, 5_2_037095D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03709B00 NtSetValueKey, 5_2_03709B00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03709A10 NtQuerySection, 5_2_03709A10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03709A00 NtProtectVirtualMemory, 5_2_03709A00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03709A80 NtOpenDirectoryObject, 5_2_03709A80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037099D0 NtCreateProcessEx, 5_2_037099D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03709820 NtEnumerateKey, 5_2_03709820
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037098F0 NtReadVirtualMemory, 5_2_037098F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037098A0 NtWriteVirtualMemory, 5_2_037098A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0370A770 NtOpenThread, 5_2_0370A770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03709770 NtSetInformationFile, 5_2_03709770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03709760 NtOpenProcess, 5_2_03709760
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03709730 NtQueryVirtualMemory, 5_2_03709730
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0370A710 NtOpenProcessToken, 5_2_0370A710
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03709670 NtQueryInformationProcess, 5_2_03709670
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03709660 NtAllocateVirtualMemory, 5_2_03709660
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03709650 NtQueryValueKey, 5_2_03709650
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03709610 NtEnumerateValueKey, 5_2_03709610
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037096D0 NtCreateKey, 5_2_037096D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03709560 NtWriteFile, 5_2_03709560
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03709520 NtWaitForSingleObject, 5_2_03709520
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037095F0 NtQueryInformationFile, 5_2_037095F0
PE file contains strange resources
Source: 1a#U00bb.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Djfypqyfx.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\1a#U00bb.exe Section loaded: system.dll Jump to behavior
Source: C:\Users\user\Desktop\1a#U00bb.exe Section loaded: system.dll Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe Section loaded: system.dll Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe Section loaded: system.dll Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe Section loaded: system.dll Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe Section loaded: system.dll Jump to behavior
Source: 1a#U00bb.exe Virustotal: Detection: 32%
Source: 1a#U00bb.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\1a#U00bb.exe File read: C:\Users\user\Desktop\1a#U00bb.exe Jump to behavior
Source: C:\Users\user\Desktop\1a#U00bb.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\1a#U00bb.exe "C:\Users\user\Desktop\1a#U00bb.exe"
Source: C:\Users\user\Desktop\1a#U00bb.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\Libraries\Djfypqyfx.exe "C:\Users\Public\Libraries\Djfypqyfx.exe"
Source: unknown Process created: C:\Users\Public\Libraries\Djfypqyfx.exe "C:\Users\Public\Libraries\Djfypqyfx.exe"
Source: C:\Users\Public\Libraries\Djfypqyfx.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Libraries\Djfypqyfx.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: C:\Users\user\Desktop\1a#U00bb.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k Jump to behavior
Source: C:\Users\user\Desktop\1a#U00bb.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B091E540-83E3-11CF-A713-0020AFD79762}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\1a#U00bb.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Djfypqyfxwyivtfoakxovbbaompeayl[1] Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winEXE@13/4@2/1
Source: C:\Users\user\Desktop\1a#U00bb.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\1a#U00bb.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\1a#U00bb.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6124:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5444:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6136:120:WilError_01
Source: C:\Users\user\Desktop\1a#U00bb.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\1a#U00bb.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: wscript.pdbGCTL source: cmd.exe, 00000005.00000002.488066235.0000000005380000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: cmd.exe, 00000005.00000003.305572932.0000000003502000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.301795534.0000000003371000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000002.543274704.000000000513F000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000003.475337207.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000002.539671067.0000000005020000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000003.480850026.0000000004E88000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: cmd.exe, cmd.exe, 00000005.00000003.305572932.0000000003502000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.480396145.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.483011341.00000000037BF000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.301795534.0000000003371000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000002.543274704.000000000513F000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000003.475337207.0000000004CEF000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000002.539671067.0000000005020000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000001E.00000003.480850026.0000000004E88000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wscript.pdb source: cmd.exe, 00000005.00000002.488066235.0000000005380000.00000040.10000000.00040000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0371D0D1 push ecx; ret 5_2_0371D0E4
Drops PE files
Source: C:\Users\user\Desktop\1a#U00bb.exe File created: C:\Users\Public\Libraries\Djfypqyfx.exe Jump to dropped file
Source: C:\Users\user\Desktop\1a#U00bb.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Djfypqyfx Jump to behavior
Source: C:\Users\user\Desktop\1a#U00bb.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Djfypqyfx Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\Public\Libraries\Djfypqyfx.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\1a#U00bb.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1a#U00bb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03795BA5 rdtsc 5_2_03795BA5
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\cmd.exe API coverage: 5.7 %
Source: C:\Users\user\Desktop\1a#U00bb.exe Process information queried: ProcessInformation Jump to behavior
Source: explorer.exe, 00000014.00000000.457197494.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000014.00000000.429059436.000000000820D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
Source: explorer.exe, 00000014.00000000.439828418.0000000000680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000014.00000000.417862735.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000014.00000000.429059436.000000000820D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000014.00000000.429059436.000000000820D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
Source: explorer.exe, 00000014.00000000.454709344.00000000062C4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000014.00000000.418245983.000000000072D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: e-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&
Source: explorer.exe, 00000014.00000000.429059436.000000000820D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+]e
Source: explorer.exe, 00000014.00000000.495338215.0000000004287000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000014.00000000.429059436.000000000820D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000014.00000000.457197494.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000014.00000000.429059436.000000000820D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00l
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03795BA5 rdtsc 5_2_03795BA5
Enables debug privileges
Source: C:\Windows\SysWOW64\cmd.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036CDB60 mov ecx, dword ptr fs:[00000030h] 5_2_036CDB60
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F3B7A mov eax, dword ptr fs:[00000030h] 5_2_036F3B7A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F3B7A mov eax, dword ptr fs:[00000030h] 5_2_036F3B7A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03798B58 mov eax, dword ptr fs:[00000030h] 5_2_03798B58
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036CDB40 mov eax, dword ptr fs:[00000030h] 5_2_036CDB40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036CF358 mov eax, dword ptr fs:[00000030h] 5_2_036CF358
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0378131B mov eax, dword ptr fs:[00000030h] 5_2_0378131B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EDBE9 mov eax, dword ptr fs:[00000030h] 5_2_036EDBE9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F03E2 mov eax, dword ptr fs:[00000030h] 5_2_036F03E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F03E2 mov eax, dword ptr fs:[00000030h] 5_2_036F03E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F03E2 mov eax, dword ptr fs:[00000030h] 5_2_036F03E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F03E2 mov eax, dword ptr fs:[00000030h] 5_2_036F03E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F03E2 mov eax, dword ptr fs:[00000030h] 5_2_036F03E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F03E2 mov eax, dword ptr fs:[00000030h] 5_2_036F03E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037453CA mov eax, dword ptr fs:[00000030h] 5_2_037453CA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037453CA mov eax, dword ptr fs:[00000030h] 5_2_037453CA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F4BAD mov eax, dword ptr fs:[00000030h] 5_2_036F4BAD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F4BAD mov eax, dword ptr fs:[00000030h] 5_2_036F4BAD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F4BAD mov eax, dword ptr fs:[00000030h] 5_2_036F4BAD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03795BA5 mov eax, dword ptr fs:[00000030h] 5_2_03795BA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D1B8F mov eax, dword ptr fs:[00000030h] 5_2_036D1B8F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D1B8F mov eax, dword ptr fs:[00000030h] 5_2_036D1B8F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0378138A mov eax, dword ptr fs:[00000030h] 5_2_0378138A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0377D380 mov ecx, dword ptr fs:[00000030h] 5_2_0377D380
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F2397 mov eax, dword ptr fs:[00000030h] 5_2_036F2397
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036FB390 mov eax, dword ptr fs:[00000030h] 5_2_036FB390
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0370927A mov eax, dword ptr fs:[00000030h] 5_2_0370927A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0377B260 mov eax, dword ptr fs:[00000030h] 5_2_0377B260
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0377B260 mov eax, dword ptr fs:[00000030h] 5_2_0377B260
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03798A62 mov eax, dword ptr fs:[00000030h] 5_2_03798A62
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03754257 mov eax, dword ptr fs:[00000030h] 5_2_03754257
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C9240 mov eax, dword ptr fs:[00000030h] 5_2_036C9240
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C9240 mov eax, dword ptr fs:[00000030h] 5_2_036C9240
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C9240 mov eax, dword ptr fs:[00000030h] 5_2_036C9240
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C9240 mov eax, dword ptr fs:[00000030h] 5_2_036C9240
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0378EA55 mov eax, dword ptr fs:[00000030h] 5_2_0378EA55
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EA229 mov eax, dword ptr fs:[00000030h] 5_2_036EA229
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EA229 mov eax, dword ptr fs:[00000030h] 5_2_036EA229
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EA229 mov eax, dword ptr fs:[00000030h] 5_2_036EA229
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EA229 mov eax, dword ptr fs:[00000030h] 5_2_036EA229
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EA229 mov eax, dword ptr fs:[00000030h] 5_2_036EA229
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EA229 mov eax, dword ptr fs:[00000030h] 5_2_036EA229
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EA229 mov eax, dword ptr fs:[00000030h] 5_2_036EA229
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EA229 mov eax, dword ptr fs:[00000030h] 5_2_036EA229
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EA229 mov eax, dword ptr fs:[00000030h] 5_2_036EA229
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03704A2C mov eax, dword ptr fs:[00000030h] 5_2_03704A2C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03704A2C mov eax, dword ptr fs:[00000030h] 5_2_03704A2C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D8A0A mov eax, dword ptr fs:[00000030h] 5_2_036D8A0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0378AA16 mov eax, dword ptr fs:[00000030h] 5_2_0378AA16
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0378AA16 mov eax, dword ptr fs:[00000030h] 5_2_0378AA16
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036E3A1C mov eax, dword ptr fs:[00000030h] 5_2_036E3A1C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036CAA16 mov eax, dword ptr fs:[00000030h] 5_2_036CAA16
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036CAA16 mov eax, dword ptr fs:[00000030h] 5_2_036CAA16
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C5210 mov eax, dword ptr fs:[00000030h] 5_2_036C5210
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C5210 mov ecx, dword ptr fs:[00000030h] 5_2_036C5210
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C5210 mov eax, dword ptr fs:[00000030h] 5_2_036C5210
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C5210 mov eax, dword ptr fs:[00000030h] 5_2_036C5210
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F2AE4 mov eax, dword ptr fs:[00000030h] 5_2_036F2AE4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F2ACB mov eax, dword ptr fs:[00000030h] 5_2_036F2ACB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C52A5 mov eax, dword ptr fs:[00000030h] 5_2_036C52A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C52A5 mov eax, dword ptr fs:[00000030h] 5_2_036C52A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C52A5 mov eax, dword ptr fs:[00000030h] 5_2_036C52A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C52A5 mov eax, dword ptr fs:[00000030h] 5_2_036C52A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C52A5 mov eax, dword ptr fs:[00000030h] 5_2_036C52A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036DAAB0 mov eax, dword ptr fs:[00000030h] 5_2_036DAAB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036DAAB0 mov eax, dword ptr fs:[00000030h] 5_2_036DAAB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036FFAB0 mov eax, dword ptr fs:[00000030h] 5_2_036FFAB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036FD294 mov eax, dword ptr fs:[00000030h] 5_2_036FD294
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036FD294 mov eax, dword ptr fs:[00000030h] 5_2_036FD294
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036CC962 mov eax, dword ptr fs:[00000030h] 5_2_036CC962
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036CB171 mov eax, dword ptr fs:[00000030h] 5_2_036CB171
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036CB171 mov eax, dword ptr fs:[00000030h] 5_2_036CB171
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EB944 mov eax, dword ptr fs:[00000030h] 5_2_036EB944
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EB944 mov eax, dword ptr fs:[00000030h] 5_2_036EB944
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036E4120 mov eax, dword ptr fs:[00000030h] 5_2_036E4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036E4120 mov eax, dword ptr fs:[00000030h] 5_2_036E4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036E4120 mov eax, dword ptr fs:[00000030h] 5_2_036E4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036E4120 mov eax, dword ptr fs:[00000030h] 5_2_036E4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036E4120 mov ecx, dword ptr fs:[00000030h] 5_2_036E4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F513A mov eax, dword ptr fs:[00000030h] 5_2_036F513A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F513A mov eax, dword ptr fs:[00000030h] 5_2_036F513A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C9100 mov eax, dword ptr fs:[00000030h] 5_2_036C9100
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C9100 mov eax, dword ptr fs:[00000030h] 5_2_036C9100
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C9100 mov eax, dword ptr fs:[00000030h] 5_2_036C9100
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036CB1E1 mov eax, dword ptr fs:[00000030h] 5_2_036CB1E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036CB1E1 mov eax, dword ptr fs:[00000030h] 5_2_036CB1E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036CB1E1 mov eax, dword ptr fs:[00000030h] 5_2_036CB1E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037541E8 mov eax, dword ptr fs:[00000030h] 5_2_037541E8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037451BE mov eax, dword ptr fs:[00000030h] 5_2_037451BE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037451BE mov eax, dword ptr fs:[00000030h] 5_2_037451BE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037451BE mov eax, dword ptr fs:[00000030h] 5_2_037451BE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037451BE mov eax, dword ptr fs:[00000030h] 5_2_037451BE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F61A0 mov eax, dword ptr fs:[00000030h] 5_2_036F61A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F61A0 mov eax, dword ptr fs:[00000030h] 5_2_036F61A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036E99BF mov ecx, dword ptr fs:[00000030h] 5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036E99BF mov ecx, dword ptr fs:[00000030h] 5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036E99BF mov eax, dword ptr fs:[00000030h] 5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036E99BF mov ecx, dword ptr fs:[00000030h] 5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036E99BF mov ecx, dword ptr fs:[00000030h] 5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036E99BF mov eax, dword ptr fs:[00000030h] 5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036E99BF mov ecx, dword ptr fs:[00000030h] 5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036E99BF mov ecx, dword ptr fs:[00000030h] 5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036E99BF mov eax, dword ptr fs:[00000030h] 5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036E99BF mov ecx, dword ptr fs:[00000030h] 5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036E99BF mov ecx, dword ptr fs:[00000030h] 5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036E99BF mov eax, dword ptr fs:[00000030h] 5_2_036E99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037469A6 mov eax, dword ptr fs:[00000030h] 5_2_037469A6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037849A4 mov eax, dword ptr fs:[00000030h] 5_2_037849A4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037849A4 mov eax, dword ptr fs:[00000030h] 5_2_037849A4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037849A4 mov eax, dword ptr fs:[00000030h] 5_2_037849A4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037849A4 mov eax, dword ptr fs:[00000030h] 5_2_037849A4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036FA185 mov eax, dword ptr fs:[00000030h] 5_2_036FA185
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EC182 mov eax, dword ptr fs:[00000030h] 5_2_036EC182
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F2990 mov eax, dword ptr fs:[00000030h] 5_2_036F2990
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03782073 mov eax, dword ptr fs:[00000030h] 5_2_03782073
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03791074 mov eax, dword ptr fs:[00000030h] 5_2_03791074
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036E0050 mov eax, dword ptr fs:[00000030h] 5_2_036E0050
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036E0050 mov eax, dword ptr fs:[00000030h] 5_2_036E0050
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F002D mov eax, dword ptr fs:[00000030h] 5_2_036F002D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F002D mov eax, dword ptr fs:[00000030h] 5_2_036F002D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F002D mov eax, dword ptr fs:[00000030h] 5_2_036F002D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F002D mov eax, dword ptr fs:[00000030h] 5_2_036F002D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F002D mov eax, dword ptr fs:[00000030h] 5_2_036F002D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036DB02A mov eax, dword ptr fs:[00000030h] 5_2_036DB02A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036DB02A mov eax, dword ptr fs:[00000030h] 5_2_036DB02A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036DB02A mov eax, dword ptr fs:[00000030h] 5_2_036DB02A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036DB02A mov eax, dword ptr fs:[00000030h] 5_2_036DB02A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EA830 mov eax, dword ptr fs:[00000030h] 5_2_036EA830
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EA830 mov eax, dword ptr fs:[00000030h] 5_2_036EA830
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EA830 mov eax, dword ptr fs:[00000030h] 5_2_036EA830
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EA830 mov eax, dword ptr fs:[00000030h] 5_2_036EA830
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03747016 mov eax, dword ptr fs:[00000030h] 5_2_03747016
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03747016 mov eax, dword ptr fs:[00000030h] 5_2_03747016
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03747016 mov eax, dword ptr fs:[00000030h] 5_2_03747016
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03794015 mov eax, dword ptr fs:[00000030h] 5_2_03794015
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03794015 mov eax, dword ptr fs:[00000030h] 5_2_03794015
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C58EC mov eax, dword ptr fs:[00000030h] 5_2_036C58EC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C40E1 mov eax, dword ptr fs:[00000030h] 5_2_036C40E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C40E1 mov eax, dword ptr fs:[00000030h] 5_2_036C40E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C40E1 mov eax, dword ptr fs:[00000030h] 5_2_036C40E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0375B8D0 mov eax, dword ptr fs:[00000030h] 5_2_0375B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0375B8D0 mov ecx, dword ptr fs:[00000030h] 5_2_0375B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0375B8D0 mov eax, dword ptr fs:[00000030h] 5_2_0375B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0375B8D0 mov eax, dword ptr fs:[00000030h] 5_2_0375B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0375B8D0 mov eax, dword ptr fs:[00000030h] 5_2_0375B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0375B8D0 mov eax, dword ptr fs:[00000030h] 5_2_0375B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F20A0 mov eax, dword ptr fs:[00000030h] 5_2_036F20A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F20A0 mov eax, dword ptr fs:[00000030h] 5_2_036F20A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F20A0 mov eax, dword ptr fs:[00000030h] 5_2_036F20A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F20A0 mov eax, dword ptr fs:[00000030h] 5_2_036F20A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F20A0 mov eax, dword ptr fs:[00000030h] 5_2_036F20A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F20A0 mov eax, dword ptr fs:[00000030h] 5_2_036F20A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036FF0BF mov ecx, dword ptr fs:[00000030h] 5_2_036FF0BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036FF0BF mov eax, dword ptr fs:[00000030h] 5_2_036FF0BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036FF0BF mov eax, dword ptr fs:[00000030h] 5_2_036FF0BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037090AF mov eax, dword ptr fs:[00000030h] 5_2_037090AF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C9080 mov eax, dword ptr fs:[00000030h] 5_2_036C9080
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03743884 mov eax, dword ptr fs:[00000030h] 5_2_03743884
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03743884 mov eax, dword ptr fs:[00000030h] 5_2_03743884
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036DFF60 mov eax, dword ptr fs:[00000030h] 5_2_036DFF60
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03798F6A mov eax, dword ptr fs:[00000030h] 5_2_03798F6A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036DEF40 mov eax, dword ptr fs:[00000030h] 5_2_036DEF40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C4F2E mov eax, dword ptr fs:[00000030h] 5_2_036C4F2E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C4F2E mov eax, dword ptr fs:[00000030h] 5_2_036C4F2E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036FE730 mov eax, dword ptr fs:[00000030h] 5_2_036FE730
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036FA70E mov eax, dword ptr fs:[00000030h] 5_2_036FA70E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036FA70E mov eax, dword ptr fs:[00000030h] 5_2_036FA70E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0375FF10 mov eax, dword ptr fs:[00000030h] 5_2_0375FF10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0375FF10 mov eax, dword ptr fs:[00000030h] 5_2_0375FF10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0379070D mov eax, dword ptr fs:[00000030h] 5_2_0379070D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0379070D mov eax, dword ptr fs:[00000030h] 5_2_0379070D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EF716 mov eax, dword ptr fs:[00000030h] 5_2_036EF716
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037037F5 mov eax, dword ptr fs:[00000030h] 5_2_037037F5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03747794 mov eax, dword ptr fs:[00000030h] 5_2_03747794
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03747794 mov eax, dword ptr fs:[00000030h] 5_2_03747794
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03747794 mov eax, dword ptr fs:[00000030h] 5_2_03747794
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D8794 mov eax, dword ptr fs:[00000030h] 5_2_036D8794
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D766D mov eax, dword ptr fs:[00000030h] 5_2_036D766D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EAE73 mov eax, dword ptr fs:[00000030h] 5_2_036EAE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EAE73 mov eax, dword ptr fs:[00000030h] 5_2_036EAE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EAE73 mov eax, dword ptr fs:[00000030h] 5_2_036EAE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EAE73 mov eax, dword ptr fs:[00000030h] 5_2_036EAE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EAE73 mov eax, dword ptr fs:[00000030h] 5_2_036EAE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D7E41 mov eax, dword ptr fs:[00000030h] 5_2_036D7E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D7E41 mov eax, dword ptr fs:[00000030h] 5_2_036D7E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D7E41 mov eax, dword ptr fs:[00000030h] 5_2_036D7E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D7E41 mov eax, dword ptr fs:[00000030h] 5_2_036D7E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D7E41 mov eax, dword ptr fs:[00000030h] 5_2_036D7E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D7E41 mov eax, dword ptr fs:[00000030h] 5_2_036D7E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0378AE44 mov eax, dword ptr fs:[00000030h] 5_2_0378AE44
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0378AE44 mov eax, dword ptr fs:[00000030h] 5_2_0378AE44
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0377FE3F mov eax, dword ptr fs:[00000030h] 5_2_0377FE3F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036CE620 mov eax, dword ptr fs:[00000030h] 5_2_036CE620
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036CC600 mov eax, dword ptr fs:[00000030h] 5_2_036CC600
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036CC600 mov eax, dword ptr fs:[00000030h] 5_2_036CC600
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036CC600 mov eax, dword ptr fs:[00000030h] 5_2_036CC600
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F8E00 mov eax, dword ptr fs:[00000030h] 5_2_036F8E00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03781608 mov eax, dword ptr fs:[00000030h] 5_2_03781608
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036FA61C mov eax, dword ptr fs:[00000030h] 5_2_036FA61C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036FA61C mov eax, dword ptr fs:[00000030h] 5_2_036FA61C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F16E0 mov ecx, dword ptr fs:[00000030h] 5_2_036F16E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D76E2 mov eax, dword ptr fs:[00000030h] 5_2_036D76E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F36CC mov eax, dword ptr fs:[00000030h] 5_2_036F36CC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03798ED6 mov eax, dword ptr fs:[00000030h] 5_2_03798ED6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0377FEC0 mov eax, dword ptr fs:[00000030h] 5_2_0377FEC0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03708EC7 mov eax, dword ptr fs:[00000030h] 5_2_03708EC7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037446A7 mov eax, dword ptr fs:[00000030h] 5_2_037446A7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03790EA5 mov eax, dword ptr fs:[00000030h] 5_2_03790EA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03790EA5 mov eax, dword ptr fs:[00000030h] 5_2_03790EA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03790EA5 mov eax, dword ptr fs:[00000030h] 5_2_03790EA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0375FE87 mov eax, dword ptr fs:[00000030h] 5_2_0375FE87
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EC577 mov eax, dword ptr fs:[00000030h] 5_2_036EC577
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036EC577 mov eax, dword ptr fs:[00000030h] 5_2_036EC577
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03703D43 mov eax, dword ptr fs:[00000030h] 5_2_03703D43
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03743540 mov eax, dword ptr fs:[00000030h] 5_2_03743540
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03773D40 mov eax, dword ptr fs:[00000030h] 5_2_03773D40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036E7D50 mov eax, dword ptr fs:[00000030h] 5_2_036E7D50
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0378E539 mov eax, dword ptr fs:[00000030h] 5_2_0378E539
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0374A537 mov eax, dword ptr fs:[00000030h] 5_2_0374A537
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03798D34 mov eax, dword ptr fs:[00000030h] 5_2_03798D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F4D3B mov eax, dword ptr fs:[00000030h] 5_2_036F4D3B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F4D3B mov eax, dword ptr fs:[00000030h] 5_2_036F4D3B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F4D3B mov eax, dword ptr fs:[00000030h] 5_2_036F4D3B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h] 5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h] 5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h] 5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h] 5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h] 5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h] 5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h] 5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h] 5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h] 5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h] 5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h] 5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h] 5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D3D34 mov eax, dword ptr fs:[00000030h] 5_2_036D3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036CAD30 mov eax, dword ptr fs:[00000030h] 5_2_036CAD30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03778DF1 mov eax, dword ptr fs:[00000030h] 5_2_03778DF1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036DD5E0 mov eax, dword ptr fs:[00000030h] 5_2_036DD5E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036DD5E0 mov eax, dword ptr fs:[00000030h] 5_2_036DD5E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0378FDE2 mov eax, dword ptr fs:[00000030h] 5_2_0378FDE2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0378FDE2 mov eax, dword ptr fs:[00000030h] 5_2_0378FDE2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0378FDE2 mov eax, dword ptr fs:[00000030h] 5_2_0378FDE2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0378FDE2 mov eax, dword ptr fs:[00000030h] 5_2_0378FDE2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03746DC9 mov eax, dword ptr fs:[00000030h] 5_2_03746DC9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03746DC9 mov eax, dword ptr fs:[00000030h] 5_2_03746DC9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03746DC9 mov eax, dword ptr fs:[00000030h] 5_2_03746DC9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03746DC9 mov ecx, dword ptr fs:[00000030h] 5_2_03746DC9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03746DC9 mov eax, dword ptr fs:[00000030h] 5_2_03746DC9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03746DC9 mov eax, dword ptr fs:[00000030h] 5_2_03746DC9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F35A1 mov eax, dword ptr fs:[00000030h] 5_2_036F35A1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037905AC mov eax, dword ptr fs:[00000030h] 5_2_037905AC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037905AC mov eax, dword ptr fs:[00000030h] 5_2_037905AC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F1DB5 mov eax, dword ptr fs:[00000030h] 5_2_036F1DB5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F1DB5 mov eax, dword ptr fs:[00000030h] 5_2_036F1DB5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F1DB5 mov eax, dword ptr fs:[00000030h] 5_2_036F1DB5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C2D8A mov eax, dword ptr fs:[00000030h] 5_2_036C2D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C2D8A mov eax, dword ptr fs:[00000030h] 5_2_036C2D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C2D8A mov eax, dword ptr fs:[00000030h] 5_2_036C2D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C2D8A mov eax, dword ptr fs:[00000030h] 5_2_036C2D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036C2D8A mov eax, dword ptr fs:[00000030h] 5_2_036C2D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F2581 mov eax, dword ptr fs:[00000030h] 5_2_036F2581
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F2581 mov eax, dword ptr fs:[00000030h] 5_2_036F2581
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F2581 mov eax, dword ptr fs:[00000030h] 5_2_036F2581
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036F2581 mov eax, dword ptr fs:[00000030h] 5_2_036F2581
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036FFD9B mov eax, dword ptr fs:[00000030h] 5_2_036FFD9B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036FFD9B mov eax, dword ptr fs:[00000030h] 5_2_036FFD9B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036E746D mov eax, dword ptr fs:[00000030h] 5_2_036E746D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036FA44B mov eax, dword ptr fs:[00000030h] 5_2_036FA44B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0375C450 mov eax, dword ptr fs:[00000030h] 5_2_0375C450
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0375C450 mov eax, dword ptr fs:[00000030h] 5_2_0375C450
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036FBC2C mov eax, dword ptr fs:[00000030h] 5_2_036FBC2C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0379740D mov eax, dword ptr fs:[00000030h] 5_2_0379740D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0379740D mov eax, dword ptr fs:[00000030h] 5_2_0379740D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0379740D mov eax, dword ptr fs:[00000030h] 5_2_0379740D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h] 5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h] 5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h] 5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h] 5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h] 5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h] 5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h] 5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h] 5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h] 5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h] 5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h] 5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h] 5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h] 5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03781C06 mov eax, dword ptr fs:[00000030h] 5_2_03781C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03746C0A mov eax, dword ptr fs:[00000030h] 5_2_03746C0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03746C0A mov eax, dword ptr fs:[00000030h] 5_2_03746C0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03746C0A mov eax, dword ptr fs:[00000030h] 5_2_03746C0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03746C0A mov eax, dword ptr fs:[00000030h] 5_2_03746C0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_037814FB mov eax, dword ptr fs:[00000030h] 5_2_037814FB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03746CF0 mov eax, dword ptr fs:[00000030h] 5_2_03746CF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03746CF0 mov eax, dword ptr fs:[00000030h] 5_2_03746CF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03746CF0 mov eax, dword ptr fs:[00000030h] 5_2_03746CF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03798CD6 mov eax, dword ptr fs:[00000030h] 5_2_03798CD6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_036D849B mov eax, dword ptr fs:[00000030h] 5_2_036D849B
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\cmd.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_0370A3B0 NtGetContextThread,LdrInitializeThunk, 5_2_0370A3B0

HIPS / PFW / Operating System Protection Evasion
barindex
Sample uses process hollowing technique
Source: C:\Windows\SysWOW64\cmd.exe Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: BA0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: unknown target: C:\Users\Public\Libraries\Djfypqyfx.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\1a#U00bb.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 50410000 Jump to behavior
Source: C:\Users\user\Desktop\1a#U00bb.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: C00000 Jump to behavior
Source: C:\Users\user\Desktop\1a#U00bb.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: C10000 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\1a#U00bb.exe Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 50410000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\1a#U00bb.exe Memory allocated: C:\Windows\SysWOW64\cmd.exe base: C00000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\1a#U00bb.exe Memory allocated: C:\Windows\SysWOW64\cmd.exe base: C10000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\1a#U00bb.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 50410000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\cmd.exe Thread APC queued: target process: C:\Users\Public\Libraries\Djfypqyfx.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\cmd.exe Thread register set: target process: 3968 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Thread register set: target process: 3968 Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\1a#U00bb.exe Thread created: C:\Windows\SysWOW64\cmd.exe EIP: C10000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\1a#U00bb.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k Jump to behavior
Source: C:\Users\Public\Libraries\Djfypqyfx.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k Jump to behavior
Source: explorer.exe, 00000014.00000000.346636551.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.439909865.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.417804191.0000000000688000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000014.00000000.453872847.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.492123035.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.392685190.000000000813F000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000014.00000000.492123035.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.441226718.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.349182130.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000014.00000000.492123035.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.441226718.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.349182130.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000014.00000000.347010107.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.440010023.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.491023361.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000014.00000000.492123035.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.441226718.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.349182130.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: WProgram Manager
Source: C:\Users\Public\Libraries\Djfypqyfx.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.299959844.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.479329024.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.460422107.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.381193910.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.309895318.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.537026751.00000000034A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.380920246.0000000003AD9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.488703408.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.301342863.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.479803163.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.300799185.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.433242777.000000000D48F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.300389282.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.333596734.0000000003C01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.537830907.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.308846513.0000000003A5C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.532023661.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 680373 Sample: 1a#U00bb.exe Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 42 www.admiral-juegos.com 2->42 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 Yara detected UAC Bypass using ComputerDefaults 2->62 64 3 other signatures 2->64 10 1a#U00bb.exe 1 18 2->10         started        15 Djfypqyfx.exe 13 2->15         started        signatures3 process4 dnsIp5 44 resimarmo.com 109.234.162.66, 443, 49738, 49742 O2SWITCHFR France 10->44 38 C:\Users\Public\Libraries\Djfypqyfx.exe, PE32 10->38 dropped 40 C:\Users\...\Djfypqyfx.exe:Zone.Identifier, ASCII 10->40 dropped 70 Writes to foreign memory regions 10->70 72 Allocates memory in foreign processes 10->72 74 Creates a thread in another existing process (thread injection) 10->74 76 Injects a PE file into a foreign processes 10->76 17 cmd.exe 1 10->17         started        20 cmd.exe 1 15->20         started        file6 signatures7 process8 signatures9 46 Modifies the context of a thread in another process (thread injection) 17->46 48 Maps a DLL or memory area into another process 17->48 50 Sample uses process hollowing technique 17->50 52 Queues an APC in another process (thread injection) 17->52 22 Djfypqyfx.exe 13 17->22         started        25 explorer.exe 17->25 injected 27 conhost.exe 17->27         started        29 conhost.exe 20->29         started        process10 signatures11 66 Multi AV Scanner detection for dropped file 22->66 68 Machine Learning detection for dropped file 22->68 31 cmd.exe 1 22->31         started        33 wscript.exe 25->33         started        process12 signatures13 36 conhost.exe 31->36         started        54 Modifies the context of a thread in another process (thread injection) 33->54 56 Maps a DLL or memory area into another process 33->56 process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
109.234.162.66
 resimarmo.com France
50474 O2SWITCHFR false

Contacted Domains

Name IP Active
resimarmo.com 109.234.162.66 true
www.admiral-juegos.com 208.91.197.91 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://resimarmo.com/yakdatafilesloadsonedrivedocumentsuploadgoogledownload/Djfypqyfxwyivtfoakxovbbaompeayl false
  • Avira URL Cloud: safe
 unknown
www.bradwareham.com/2dou/ true
  • Avira URL Cloud: safe
 low